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Energy Costs 
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and energy savings with adaptability and superior hardware. 
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a high 93% energy efficiency. Powerful Intel® Xeon® 5500 series 
quad core processors intelligently save power during low-use 
periods and increase performance when systems require 

it. Intel” Xeon® 5500 series processors include virtualization 
technologies to lead the way in performance, scalability, and 
simplified server management and migration. 


The iX-N4224 supports up to 144GB of DDR3 1333 
energy efficient RAM and utilizes three 5000 RPM cooling PWM 
fans and two 5000 RPM rear exhaust PWM fans. iX-N4224 servers 
offer up to 48 terabytes of storage with 24 hot-swappable 
SAS/SATA drive bays in a 4U configuration. Storage sizes for 
the iX-N4224 are customizable, with 250MB, 500MB, 750MB, 
1TB, and 2TB hard drives available. 


The iX-N4224 provides the ideal solution for 
applications requiring maximum storage capacity and power 
savings. For particularly storage-hungry applications, Western 
Digital® offers 2TB WD™ RE4-GP hard drives, which offer lower 
power use during idle times, a 64 megabyte cache, up to 

25% increased performance, and a savings of up to $10 per 
drive on yearly power costs. Each hard drive is equipped 

with improvements to rotary vibration tolerance and calculates 
optimum seek speeds to lower power consumption, noise, 
and vibration. These drives also require less power and time 
to start up, allowing more drives to start spinning 
simultaneously due to the decrease in the current each drive 
requires. Equipping the Orion iX-N4224 4U storage server 
with the WD™ RE4-GP drives provides unparalleled storage 
capacity and power efficiency. 
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O6 Keeping FreeBSD Up-To-Date: 

OS Essentials 

Richard Bejtlich 
An important system administration task, and a principle 
of running a defensible network, is keeping operating 
systems and applications up-to-date. This article presents 
multiple ways to do that. 


26 Using BSD for your Studies 

Edd Barrett 
About four years ago Edd was starting his undergraduate 
computing degree. He knew that UNIX-like operating 
systems had proven themselves in the server room, but 
how would they fare in the lecture theatre? 


30 The FreeBSD Chatterbox 

Eric Vintimilla 
Day in and day out, your FreeBSD sits there quietly, 
processing its workload. It never complains or asks for any 
favors, but what would it say if it could talk? The answer 
to that question is easy. It will say whatever you want it to. 
Make your FreeBSD more talkative with Festival. 


how-to’s 
32 Encrypting the FreeBSD root file system 


Jacques Manukyan 
Systems are only as secure as you make them. Thankfully, 
FreeBSD offers an excellent range of tools and mechanisms 
to insure that all your security needs are met. 


40 Setting up PC-BSD as a server 

Jan Stedenhouder 
PC-BSD is so easy to install and the KDE-desktop easy 
enough to use that we might almost forget it's roots 
as server operating system. Now, and in the future, the 
majority of desktop users might not consider this piece of 
information of any value. 


44 How to Build a Scalable Search Engine 
Using the BuildaSearch Web Service 
Diego Montalvo 

While other articles do a fantastic job focusing on core 

BSD technology, | feel that it is also important to cover web 

services powered by BSD systems. 


48 Is NetBSD ready for a desktop? 
Petr Topiarz 
In this article Petr is focusing on the usability of the 
NetBSD as a desktop. He shows what NetBSD can do 
‘ today and whether it is mature enough to challenge PC- 
fap Y BSD or Linux. If you want to know, start reading! 
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56 FreeBSD on the SheevaPlug 

Donald T. Hayford 
Though NetBSD is better known for supporting a wide 
variety of processors and systems, FreeBSD has an active 
embedded component, as well. In this article, we'll take a 
look at the ARM-based SheevaPlug and show you how to 
boot your Plug using FreeBSD. 


64 Email server in FreeBSD 

Francisco Reyes 
This tutorial is a step by step guide on how to setup 
your own mail server using Postfix as the Mail Transfer 
Agent (MTA) and Dovecot as the IMAP server and as the 
authenticating agent for Postfix. 


70 Monitoring OpenBSD with Symon 

Matthias Pfeifer 
Once you have your OpenBSD Server running, you might 
want to monitor your machine. There are several ways 
to do this and there is a large amount of tools you could 
use for it. One of these tools | will show you in this how-to 
article is Symon. 
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72 BSDas the Platform for Connecting 
Strategy to Operations Through a Data 
Concourse Service 
Richard C. Batka 

A major change is about to take place in large 

organizations worldwide and BSD is positioned perfectly 

to play a starring role. 


76 Living The PC-BSD Lifestyle 

James T. Nixon Ill 
Some people are Mac, some are Windows, | am PC-BSD. 
PC-BSD is more than an operating system, it’s a lifestyle. 
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Keeping FreeBSD Up-To-Date: 


Richard Bejtlich 


OS Essentials 


An important system administration task, and a principle of running a defensible 
network, is keeping operating systems and applications up-to-date. 


unning current software is critical when older 

services are vulnerable to exploitation. Obtaining 

new features not found in older applications is 

another reason to run current software. Fortunately, 
open source software offers a variety of means to give users a 
secure, capable computing environment. 

This article presents multiple ways to keep the FreeBSD 
operating system up-to-date. | take a FreeBSD 7.1 RELEASE 
system through a subset of security advisories to explain the 
different sorts of patches an administrator might apply. It is 
important to realize that this article discusses the OS only; 
it does not discuss applications. FreeBSD does not have 
a unified update mechanism for the OS and applications. 
By applications | mean software outside of the kernel and 
userland. For example, Debian systems can use the apt tool 
to keep the distribution and packaged applications up-to-date. 
FreeBSD does not have a single equivalent tool, so this article 
only addresses keeping the OS up-to-date. 

Note that there is a difference between an update 
and an upgrade. | use the term update to refer to keeping 
a certain version of FreeBSD up-to-date. For example, 
keeping a FreeBSD 71 system at version 7.1, but having the 
appropriate security and critical patches applied, qualifies 
as an update process. | use the term upgrade to refer to 
changing the FreeBSD version, either within a minor version 
or to d new major version. For example, migrating from 
FreeBSD 71 to 72, or from 72 to 8.0, qualify as upgrade 
processes. 

| chose FreeBSD 71, released in January 2009, as my 
starting point because it offers a security history suitable 
for describing multiple update cases. At the time of writing 
FreeBSD 72 is the latest STABLE release and 8.0 is in 
BETA. Readers wondering why someone might want to 
install an old OS version can imagine that there might be 


an application supported only on FreeBSD 71 and not yet 
officially ready for 72 or 8.0, prompting an administrator to 
runa /1 box. 

All of the work done in this article was done remotely 
via OpenSSH. One danger of performing remote upgrades 
is losing connection during a critical phase of the process. 
One software-based way to deal with this issue is to conduct 
all remote upgrades within a screen(1) session. (http:// 
www.freshports.org/misc/screen) Should you lose connectivity 
during the upgrade while running screen, your session will 
continue uninterrupted. The screen(1) program has suffered 
security problems in the past, so balance its features against 
the possible risks. 
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My advice on administering this 
reference platform is based on deploying 
FreeBSD on_- servers, workstations, 
and laptops since 2000. The article 
represents a mix of my interpretations 
of official FreeBSD documentation, 
inputs from mentors, and the result of my 
own experimentation and deployment 
strategies. This guide cannot be anywhere 
near a complete reference on keeping 
FreeBSD up-to-date or maintaining a 
secure system. | strongly recommend 
reading the excellent FreeBSD Handbook 
as well as the multiple helpful published 
books on FreeBSD. 


FreeBSD Handbook and 


Absolute FreeBSD, 2nd Ed 


Please note that Chapter 24, Updating 
and Upgrading FreeBSD, is the 
authoritative source for information on 
keeping the FreeBSD OS _ up-to-date 
(http://www.freebsd.org/doc/en/books/ 
handbook/updating-upgrading.html). The 
reason | wrote this article was to show 
how these various mechanisms apply in 
practice, and which | prefer in production. 
| must also recommend Michael W. 
Lucas’ excellent book Absolute FreeBSD, 
2nd Ed (No Starch, 2008). Several other 
talented FreeBSD writers have produced 
books, but Michael's is my favorite. For 
deeper coverage on the topics in this 
article, please see the Handbook or 
Michael’s book. 


The Short Answer: Updating 
FreeBSD with Binary Upgrades 
If you want to jump straight to the 
easiest way to keep the FreeBSD OS 
up-to-date, without changing major or 
minor versions, and you are a standard 
user who has not customized his or 
her kernel and userland, follow these 
instructions. | present this first and with 
little introduction because it is the most 
basic and important step for keeping the 
FreeBSD OS up-to-date for the majority 
of users. 


Set proxy, if necessary using setenv 
HIT? PROXY Http; / /myproxysmyporc. 
Run freebsd-update fetch. 

Run freebsd-update install. 
Reboot. 


These steps are demonstrated on a 
FreeBSD 72 system installed from CD 
(see Listing 1). 
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Following those four steps will keep a 
generic FreeBSD system up-to-date. 

Colin Percivals FreeBSD Update 
tool is one of the best new aspects of 
FreeBSD, in my opinion. Prior to applying 
binary updates, FreeBSD administrators 


had to rely on recompiling source code 
whenever updates needed to be applied. 
This included casual users operating 
standard systems as well as power 
users operating custom systems. With 
FreeBSD Update, casual users who are 


Listing 1. Uname output for FreeBSD 7.2 


freebsd7a# uname -a 


FreeBSD freebsd7a.localdomain 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 


EOe 749 sis Ure 2009 


GENERIC i386 


root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/ 


freebsdia# setenv HTTP PROXY pttp:7/1/2.16.2.1:73128 


freebsd7a# freebsd-update fetch 


Looking Up updave. FreebSD-org mirrors... 


Fetching public key from update5.FreeBSD.org... 


3 mLiceoOrsS ireuiacl. 


done. 


Fetching metadata signature for 7.2-RELEASE from update5.FreeBSD.org... 


done. 

Fetching metadata index... done. 
Fetching 2 metadata files... done. 
Inspecting system... done. 
Preparing to download files... done. 
Petrching 26 pacches.. LO res sO) sas 


Applying patches... 


done. 


The following files will be updated as part of updating to 7.2-RELEASE-p3: 


(Poot) Kernel) mm bce “ko 


/boot/kernel/if bce.ko.symbols 
/POOt/ Kernel / in ixp. ko 


/ooot/kernel/if fxp.ko.symbols 


j/OOOn/ kernel/ kernel 


/boot/kernel/kernel.symbols 
j Alniley pilkicre eisveye 1 

/ Aoi nie ese 

ws ,edited... 
/usr/sbin/named 
jusY/sbin/aologin 


fusr/ sban/mepd 


freebsd7a# freebsd-update install 
Installing updares:.. dome. 


freebsd/7a# reboot 


freebsd7a# uname -a 


FreeBSD freebsd7a.localdomain 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: 


Wed Jun 24 00:57:44 UTC 2009 
Obj/USL/SLC/SYS/GENERIC i386 
Listing 2. Uname output for FreeBSD 7.1 


freebsd/# uname -a 


FreeBSD freebsd7.localdomain 7.1=RELEASE FreeBSD 7.1=RELEASE #0: 


i HAS /e25 Use 2003 


GENERIC i386 


root@i386-builder.daemonology.net:/usr/ 


Thu Jan 


root@ logan. csé.buffalo.édu:/usr/obp]/usr/src/sys/ 
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not making changes to the standard 
kernel and userland can quickly and 
easily keep the FreeBSD OS up-to-date. 
With some careful use, even power users 
can benefit from binary updates. 

The rest of the article demonstrates 
additional methods and __ details, 


depending on the administrators needs. 


Listing 3. Installing GnuPG 


Prechsdy O6o vada =a Clupg 


scheme: bao” 

sein. [ ] 

password: [] 

nosis [ftp.freebsd.org] 
POLS [0] 

document: 


=== fep. treebsd. org:71 

looking Wp £tp.freebsd.org 
connecting to ftp. treebsd.org: 21 
».,edited... 


release/Latest/gnupg.tbz... 
x SACONMEAINIES: 


...-edited... 


Aa eneeligneennavohy ena 


Understanding FreeBSD 
Versions 

Before explaining ways to keep the 
FreeBSD OS up-to-date, | must briefly 
expand on the idea of the term up-to- 
date. Thanks to FreeBSD’s open source 
development methodology, any version 
of FreeBSD is available via check out 


|/pub/FreeBSD/ports/i386/packages-7.1-release/Latest/gnupg.tbz| 


Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.1- 


Package Gnupg-2.0.9 2 registered in /var/db/pkg/gnupg-2.0.9 2 


”) Index of ftp://ftp.freebsd.org/pub/FreeBSD/1S0-IMAGES -i386/ - Mozilla Firefox 


Tools Help 


File Edit View History Bookmarks 


@ -c 


a Index of ftp://ftp.freebsd.org/pub/F... | s | 


Ee) 


Ch) = Ftp:/fftp. freebsd .org/pubjFreeBSD/TSO-IMAGES- LS . : Es 


Index of ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/ 


7 Up to higher level directory 


Name 
4,70 has moved fo Atp-arcive 
4.37 has moved fo fip-archive 
5.3 Aas moved to fip-archive 
5.4 has moved to fip-archive 
5.5 has moved fo fip-archive 
é.0Aar moved to ftp-arciive 
6.1 fas moved to Mtp-archive 
é.2 har moved to ftp-archive 

6.3 

6.4 

7.0 

7.1 

a 7.2 

J8.0 


(=) README, TXT 


Figure 2. FreeBSD versions at ftp.freebsd.org 


Size Last Modified 


10/24/2006 
10/24/2006 
10/24/2006 
10/19/2007 
4/3/2009 
10/19/2007 
4/3/2009 
4/3/2009 
1/17/2008 
11/27/2008 
2/27/2008 
1/3/2009 


6/3/2009 
9/6/2009 
12/19/2005 


12:00:00 4M 
12:00:00 4M 
12:00:00 4M 
12:00:00 4M 
6:40:00 PM 
12:00:00 4M 
6:40:00 PM 
6:40:00 PM 
12:00:00 4M 
12:00:00 4M 
12:00:00 AM 
12:00:00 4M 
2:19:00 4M 
6:26:00 PM 
12:00:00 4M 


S) 2001 :4F8:0:2::e +3 
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from the Concurrent Versions System 
(CVS). (htto://www.freebsd.org/doc/ 
en_US.|ISO8859-1/books/handbook/ 
anoncvs.html) These versions can be 
represented by CVS revision tags. (http: 
//www.freebsd.org/doc/en_US.ISO8859- 
1/books/handbook/cvs-tags.html) 
The following examples begin with 72 
RELEASE, the most recently published 
version of FreeBSD: 


2 is FreeBSD 
72 RELEASE, just as you might get 
on CD. RELENG 7 2 0 RELEASE iS also 
known as a release tag. 
RELENG 7 2 is the security branch for 
72, which is FreeBSD 7.2 RELEASE 
with patches for security advisories 
and critical fixes applied. rRELENG 7 2 
is known as a branch tag. 
RELENG 7 iS the development line of 
the FreeBSD 7 tree, also known as 
7-STABLE. rELENG_7 is also a branch 
tag. 

("dot"), also known as HEAD, 
is the development line of the next 
version of FreeBSD, 8.0, also known 
as 8-CURRENT or simply CURRENT. 


RELENG 7 2 0 RELEASE 


At the time of writing, the FreeBSD 
project was working the release process 
for FreeBSD 8.0. Creating FreeBSD 8.0 
means declaring that, as of a certain 
date, FreeBSD 8-CURRENT will now 
be designated FreeBSD 8.0. From that 
point forward, CURRENT will be the 
future FreeBSD 9.0, so CURRENT will be 
considered 9-CURRENT. 

The bottom line is that CURRENT 
should always be thought of as the next 
major version of FreeBSD. When 72 was 
the newest FreeBSD version, CURRENT 
was being developed as FreeBSD 8.0. 
When FreeBSD 8.0 is released, CURRENT 
will be developed as FreeBSD 9.0. 

Incidentally, during the’ release 
process for FreeBSD 8.0, various beta 
(BETA) and release candidate (RC) 
versions will be released to facilitate 
testing. In the article you will see 
references to FreeBSD 8.0-BETA versions, 
for example. 

Linux users should note that these 
CVS revision tags do not pertain to 
the FreeBSD kernel alone. FreeBSD is 
developed as an integrated system, 
with a_ kernel matching userland 
tools. One should not run a kernel 
compiled for FreeBSD 72 RELEASE on 


a CURRENT machine. The kernel and 
all userland utilities are meant to be 
upgraded simultaneously, and must be 
kept synchronized. While Linux users 
are usually forced to acknowledge this 
good system administration practice 
when they upgrade major versions 
of their kernel (e.g., 2.4 to 2.6), they 
often maintain the same_ userland 
across minor kernel versions. FreeBSD 
strongly encourages users to always 
keep the userland and kernel in sync 
using the methods explained in the 
Handbook and elaborated upon in this 
document. 

When thinking of what it means to be 
up-to-date, one can see that the oldest 
version of FreeBSD 72 is that which 
was pressed to CD — RELENG_7_2_0_ 
RELEASE or FreeBSD 72 RELEASE. The 
newest version of FreeBSD 7x would 
be 7-STABLE (also called 7.2-STABLE), a 
constantly moving target modified and 
improved on a daily basis. How does an 
administrator decide what to run on her 
machines? 

| prefer to begin a system's life by 
installing ReLEAsE software, like FreeBSD 
72 RELEASE. As long as the systems 
performs as | would expect it to, | then 
track the RELENG 7 2 or security branch. 
This allows me to incorporate critical bug 
and security fixes that could jeopardize 
the system. 

Occasionally | may encounter a 
system that requires a feature (like 
supporting a new piece of hardware) 
not present in the RELEASE or security 
branches. In cases where that feature 
is Supported by STABLE, | will upgrade 
to that branch. In the rare cases where 
not even STABLE has the feature | need, | 
might install a snapshot of the CURRENT 
branch. | do not recommend running 
CURRENT in production environments 
as it is not supported like the RELEASE or 
STABLE versions are. 


Learning About Security Issues 
FreeBSD security advisories are 
published at the FreeBSD security page 
and at the freebsd-security-notifications 
mailing list. — (http://www.freebsd.org/ 
security/advisories.html and http: 
//lists.freebsd.org/pipermail/freebsd- 
security-notifications/) | recommend 
all FreeBSD users subscribe to the 
moderated, very low volume notification 
mailing list. The advisories provide 
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Listing 4. Installing GPG 


freebsd7# gpg --import /usr/share/doc/en US.1SO08859-1/books/handbook/ 
pgpkeys.html 
gpg: directory '/root/.gnupg' created 


gpg: new configuration file '/root/.gnupg/gpg.conf' created 


gpg: WARNING: options in '/root/.gnupg/gpg.conf' are not yet active during 
Soucy sabia 

gpg: keyring '/root/.gnupg/secring.gpg' created 
gpg: keyring '/root/.gnupg/pubring.gpg' created 
Gpg: /root/.dnupg/trustdb.gpg: trustdh created 

gpg: key CA6CDFB2: public key "FreeBSD Security Officer <security- 
officer@FreeBSD.org>" imported 

gpg: key FF8AE305: public key "core-secretary@FreeBSD.org" imported 
gpg: key 7414629C: public key "FreeBSD portmgr secretary <portmgr- 
secretary@FreeBSD.org>" imported 
gpg: Total number processed: 3 
Gea: imported: 3 (RSA: 1) 


gpg: no ultimately trusted keys found 


Listing 5. Contents of /usr/src 


Ereebsdi/7 1S Jusr/sre 


COPYRIGHT conuralb rescue 
hOCKS CrypEo sbam 
MAINTAINERS ere secure 
Makefile games share 
Makefile.incl gnu sys 
ObsoleteFiles.inc include tools 
README kerberosd uistamdential 
UPDATING liaile) sis sbi 
loyaliigh libexec 

edd release 


Listing 6. Checking out source code using CVS 


Ereebsd) ¢ co Just 


treebsd/#+ Gvs =d anoncvsGanoncvs!. freebsd.org:/home/ncvs CO =r RELENG 7 i 
Oe stiaic! 

evs checkout: Updacing src 
evs checkout: Updating src/bin 
G€Vs Checkout: Updating sro/biny;cat 


A @ ICONS ls oc 


Listing 7. Installing CVSup 


breebsd/] 7 PkG add —-Vr Cvsiup-witnout—qiu7 

ee vedilted. =: 

x bin/cvpasswd 

<x bim/cvsup 

x sbin/evsupd 

se sedi ted. .: 

Package Cvsup-without-gui-1l6.ih 4 registered in /var/db/pkg/cvsup-without— 
gui-16.ih 4 
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Listing 8. Retrieving patch for ktimer 


freebsd/# fetch http://security. FreeBSD. org/patches/SA-09:06/ktimer.patch 


ktimer.patch 100s oO: 476. 3B ol kBps 
freebsd/# fetch http://security. FreeBSD. org/patches/SA-09:06/ 

KeEIMer. patch. asc 

ktimer.patch.asc MOOS Or os 8 24 kBps 


Listing 9. Verifying ktimer patch 


freebsd7# gpg --verify ktimer.patch.asc ktimer.patch 

Gpg: Signature made Sun Mar 22 19:59:58 2009 EDT using DSA key ID CAGCDEB2 
gpg: Good signature from "FreeBSD Security Officer <security- 
officer@FreeBSD.org>" 

gpg: WARNING: This key is not certified with a trusted signature! 

Geo: There is no indication that the signature belongs to the owner. 


Primary key fingerprint: C374 OFC5 69A6 FBB1 4AEFD B131 15D6 8804 CA6C DFB2 


Listing 10. Patching ktimer 


freebsd7# patch < /root/ktimer.patch 
Hmm... Looks like a unified diff to me... 


The text leading up to this was: 


[=== sys/kern/kern timese (revision 190192) 

[+++ sys/kern/kern time.c (working copy) 

Patching file sys/kern/kern time.c using Plan A... 
Hunk #1 succeeded at 1079 (offset -6 lines). 


done 


Listing 11. Rebuilding the kernel 


freebsd7# cd /usr/src/sys/i386/conf 
freebsd7# cp GENERIC FREEBSD7 

freebsd7# cd /usr/src 

freebsd7# make buildkernel KERNCONF=FREEBSD7 


===> FREEBSD7 
mkdir =p /ust/ebi/usr/src/ sys 


>>> stage 1: configuring the kernel 


ed /usr/sre/sys/i386/cont; PATH=/usr/ob]/usr/strc/tmp/ legacy/ usr/sbin: 
j/usr/ob)/usr/sre/tmp/ legacy/usr/bin: /usr/ob]/us"/src/tmp/ legacy/usr/ games; 
J/usk/ Obi /use/sce/ timp /USsit/ Sola / lst) Ob ]/ ust) src, Emo/lus@/ bia: / msi) Ob a)/ usa) 
She/ tmp, usr/ games: / sbim./bim?/ ben, soim:/ist/bim Contig —a@ /usr/ Ob j/ usr) 
Stre/sys/PREE BoD? /USt/ste/Sys/ 1396/COnt/PREEBSD? 

Kernel build directory is /ust/ob]/ust/ src/sys/ FREEBSD? 


ier (eo ulbe— leeeeen 
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background, a problem description, an 
impact statement, workaround advice, a 
solution to fix the problem, and correction 
details. We'll take a closer look at an 
actual security advisory when we learn 
how to apply patches manually to the 
operating system. 


Starting with the Installation 

Lets start with the most common 
deployment scenario, using FreeBSD 
71 RELEASE as our starting point. For 
this version, the CVS tag iS RELENG 7 1_ 
0 RELEASE for the version shipped on CD 
and reLenc 7 1 for the security branch. 

The administrator installs FreeBSD 
71 RELEASE from CD on a new server. 
She installs the User distribution set 
(Average User - binaries and doc 
only) and installs the ports tree. When 
installation is done, a check of uname 
output shows what the system looks like 
prior to any changes: see Listing 2. 

She does not need to modify the 
kernel and is running the GENERIC 
version shipped with the OS. 

At this point the system is running, but 
it requires Security updates. 


Installing Gnupg and Importing 

Keys 

Whenever an administrator wants to 
manually apply a security patch, it is 
important to validate those patches 
using Gnu Privacy Guard (Gnupg, http: 
//www4reshports.org/security/gnupg). In 
this section we will install Gnupg and 
import FreeBSD developer keys (see 
Listing 3). 

Notice in the output above that the 
version of Gnupg shipped with FreeBSD 
71 (in packages-71-release) is the 
version installed automatically here. 

Next we import required PGP keys 
(see Listing 4). 

With Gnupg installed, you will be able 
to check signatures on patches applied 
later. 


Installing Source Code 
When the administrator installed FreeBSD 
71, she did not install the source code for 
the system. We'll do that next. 

FreeBSD source code can either be 
checked out from CVS online, or installed 
from other media. Since this system was 
just installed from CD, and we have the 
CD handy, we'll install the source code 
from CD. 


The easiest way to install source 
code from CD is to use the sysinstall 
program. 

First, note that the source code is not 
available yet on the system. 


freebsd7# ls /usr/src 
freebsd7# 


Launch sysinstall. 


Select Configure - Do post-install 
configuration of FreeBSD 
Select Distributions —- 
additional distribution sets 
Select src — Sources for everything 
by highlighting and hitting the space 
bar 

Select All — Select all of the below by 
highlighting and hitting return. Tab to 
OK and hit return. 

Tab to OK on the Select the 
distributions you wish to install page 
and hit return. 

Select CD/DVD - Install from a 
FreeBSD CD/DVD and hit return. 
Wait until the source code is 
installed, then exit sysinstall. 


Install 


Now, listing /usr/src shows the source 
code is installed (Listing 5). 

An alternative to installing the source 
code from CD involves using cvs to 
check it out. In this example we access 
an anonynous FreeBSD CVS _ server 
(http://www.freebsd.org/doc/en/books/ 
handbook/anoncvs.html). For example: 
see Listing 6. 

With the source code on the system, 
you will be able to manually apply 
patches and recompile the whole system 
or kernel as necessary. 


Installing CVSup 

The final addition to our FreeBSD 71 
RELEASE system is the cvsup-without- 
gui package (see Listing 7). 

It tums out that CVSup isn't really 
needed on modern FreeBSD systems, but | 
include it here because it is the single most 
recognizable update tool for FreeBSD. 

At this point we have the infrastructure 
in place to try applying patches as 
required. 


Applying Kernel Patches 
Manually 

In the following sections we will examine 
a variety of ways to keep FreeBSD up- 
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to-date. In this section we will look at 
applying kernel patches manually. We've 
already seen how FreeBSD can make 
updating the GENERIC kernel very easy. 
However, the situation becomes more 
complicated when administrators run 
custom kernels or make other local 
modifications. 

To demonstrate how to manually 
patch the FreeBSD kernel on _ our 
FreeBSD 71 RELEASE system, we 
will use the FreeBSD-SA-09:06.ktimer 
advisory as an_ example _ (http:// 
security.freebsd.org/advisories/FreeBSD- 
SA-09:06.ktimerasc). 


Listing 12. Installing kernel 


To implement this advisory, we follow 
the instructions in part 2 (see Listing 8). 
Next we validate the patch (see Listing 9). 

GPG warns us that we have not 
taken any steps to trust the signature of 
the FreeBSD Security Officer. One of the 
ways to make this warning disappear 
would be to sign the key of the FreeBSD 
Security Officer ourselves. We might do 
that after confirming in person or on the 
telephone that the primary key fingerprint 
of the FreeBSD Security Officers key is 
as stated in the outout above. (Beyond 
this example, | will not show verifying 
future patches.) 


freebsd/# make instalikernel KERNCONF=FREEBSD/ 


Gd /Ust/Obi/ ust/sre/sys/ FREEBSD? ; 


ARCH=1i386 MACHINE=i386 CPUTYPE= 
legacy/usr/bin 


Gio i roms 


MAKEOBJDIRPREFIX=/usr/obj 


MACHINE _ 


GROFF BIN PATH=/usr/obj/usr/src/tmp/ 
GROFF FONT PATH=/usr/ob]/usr/src/tmp/legacy/usr/share/ 
GROFF TMAC PATH=/usr/obj/usr/src/tmp/legacy/usr/share/tmac 


PATH=/usr/obj/usr/src/tmp/legacy/usr/sbin:/usr/obj/usr/src/tmp/legacy/usr/ 


bim:;/ust/ eb] /usr/ sre/tmp/ Vegacy/usr/gqames; /Us©/ Obi /usr/stc/tmp/Usr/ shin: 


/ ast) Obj /Usr/ SEC/ tmp/ust/bam:/ Ust7Ob]/ Wsr/sre/ tmp/ lst; games :/ soinm:/bin: 


J iesiey Slime / us ey bale 
thiskernel='sysctl -n kern.bootfile' ; 
=er /bocor; kernel | 5 then 


boot/kernel ; else if [ 
jooot/ kernel old; 
jooor/ kernel old 


Wei ecco yl es ead 


kern.bootfile: 
mkdir -p /boot/kernel 


chflags -R noschg /boot/kernel ; 
-d /boot/kernel.old |] 
Em tk 9 / boot) kermel Jolid il | 


mele KiNG IHkercmetl suas ieelil i 


af [| ! “*dirname “Sthiskernel™'" 
rm -rf / 
, then chilags —-R noschg 


mv /DOOL/ kernel 


sysctl kern.bootfile=/boot/kernel.old/"'basename 


joeor/ kernel) kemnel —— / boon, kernel old) kernel 


install -p -m 555 -o root -g wheel kernel /boot/kernel 


...edited... 
sl oysner Wl So Selene Ser (ide al se) 
kldxref /boot/kernel 


Listing 13. Uname output before recompiling kernel 


freebsd/7# uname -a 


FreeBSD freebsd7.localdomain 7.l1=RELEASE FreeBSD 7.1—-RELEASE #70: 


i PASS 7 e25 Use 2009 
GENERIC i386 


freebsd7# reboot 


Listing 14. Uname output after recompiling kernel 


freebsd/7# uname -a 


PreeBSD freebsd7.localdomain 7.l1—=RELEASE FreeBSD 7.1-RELEASE #70: 


AQ HAO BASHA imipee ZOOS 


PREEBSD] 12366 


www.bsdmag.org 


if zyd.ko.symbols /boot/kernel 


Thu Jan 


Foot@logan.csée. buffalo. edu:/usr/ob7]/usr/src/sys/7 


Thu Aug 


root@freebsd/. localdomain: /usr/ob7]/usr/src/sys/ 
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Listing 15. Patching telnetd 


freebsd/# fetch http://security. FreeBSD. org/patches/SA-09:05/telnetd.patch 
telnetd.patch 

1005 of L010) 3 = 2e0) kBps 
freebsd/# fetch http://security. FreeBSD. org/patches/SA-09:05/ 
telnetd.patch.asc 
telnetd.patch.asc LO. Sor Los 8 2 kBps 
freebsd7# gpg --verify telnetd.patch.asc telnetd.patch 
Gpg: Signature made Mon Feb 6 16730719 2009 EST using DSA key ID CAGCDEB2 
gpg: Good signature from "FreeBSD Security Officer <security- 
officer@FreeBSD.org>" 
gpg: WARNING: This key is not certified with a trusted signature! 
Gig: There iS no indication that the signature belongs to the owner. 


Primary key fingerprint: C374 OFC5 69A6 FBB1 4AED B131 15D6 8804 CA6C DFB2 


Ereebsdaq?’# ca 4usr/sre 
freebsd7# patch < /root/teinetd.patch 
Anim... books: like a tngied diit to me... 


The text leading up to this was: 


(revision 188667) 


|--- contrib/telnet/telnetd/sys term.c 


[Pr Contrib /telnet/trelnetd/sys tenm.c 


(working copy) 


Patching file contrib/telnet/telnetd/sys term.c using Plan A... 


Hunk #1 succeeded at 1285 (offset 14 lines). 
Hunk #2 succeeded at 1310 (offset 14 lines). 


done 


freebsal?, ca /usr/sre7iip/ l7 beeline: 


freebsd7# make obj && make depend && make 


/usr/obj/usr/src/lib/libtelnet created for /usr/src/lib/libtelnet 
rm -f£ .depend 
mkdep -f .depend -a =l/use/sre/ lile/ libpelneky/ 74.7 coneril/ telner.— 


DENCRYPITION ~DAUTHENTICATION —DSRA> —DKRBS [1/7 ib/ kr6S -i —l —~DEORWARD 


=-Dnet  White—-telnet, Met White /Wsn/sre/lib/liptelnet)../../contrib; telnet, 


libtelnet/genget.c 

7. sedlteds 

building statrze telnet Jibprary 
ranlib libtelnet.a 


freebsda?#? cad /usr/sre7 li bexec/ tLelnerd 


freebsd7# make obj && make depend && make && make install 


/usr/obj/usr/src/libexec/telnetd created for /usr/src/libexec/telnetd 
rm -f£ .depend 
mkdep -f .depend -a ]DLINEMODE: —-DUSE TERMIO —~DBIAGNOSTICs —~DOLD ENVIRON 


=DENVY HACK =DINETG —-1/usr/src/libexec/telnerd/../2./contrib/telmet = 


DAULHENTI CATION -DENCRYP TION =DKRBS -PFORWARD —-Dmer Wwrikte—-celner ner wricre 


/usr/src/libexec/telnetd/../../contrib/telnet/telnetd/global.c 


2..€Gi1ted.. 
imstallv=s'-o1 root —q wheel =m 555 telnetd /usr/libexec 


install -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 
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For now we assume that the patch 
has not been tampered with and move 
on to applying it per theadvisory’s 
instructions. Now we apply the patch 
(see Listings 10). 

Finally we compile a new kernel for 
our system. Note that we decide to make 
a copy of the configuration file called 
FREEBSD7Z We do not leave the kernel 
as GENERIC because we have patched 
it (see Listing 11). 

After waiting several minutes we 
install the new kernel (see Listing 12). 

After a final check of the installed 
kernel (which is still running), we reboot 
(see Listing 13). 

After reboot, notice that the new 
kernel is installed (see Listing 14). 

The compilation date also matches 
the date the new kernel was compiled. 


Applying Userland Patches 
Manually 

In the previous section we saw how 
to apply a patch to the kernel, then 
recompile and install the patched kernel. 
Here we will look at applying a patch to 
a userland application that ships with the 
FreeBSD OS. For this example we will use 
the FreeBSD-SA-09:05.telnetd advisory 
(http://security.freebsd.org/advisories/ 
FreeBSD-SA-09:05.telnetd.asc). 

To implement this advisory, we follow 
the instructions in part 2 (see Listing 15). 

Since telnetd runs from inetd, we can 
be sure the next time telnetd starts it will 
be patched. 

In the previous edition of this document 
(published in 2005), we provided an 
example of manually patching the 
userland for FreeBSD-SA-04:05.openssl. 
That advisory required recompiling the 
entire userland. The same is true for 
However, 
there does not seem to be an advisory 
since 2006 that required recompiling 
the whole userland. Even FreeBSD- 
SA-09:08.0penssl, another OpenSSL 
advisory, only required recompiling part 
of the userland, as was the case with this 
telnetd example. In the event you wish to 
apply a userland patch manually, and it 
requires recompiling the userland, follow 
the instructions in the advisory as we have 
done with these last two examples. 


FreeBSD-SA-06:23.openssl. 


Using CVSup to Apply Patches 
So far we have shown how to do quick 
binary updates using FreeBSD Update, 


and we manually applied a kernel patch 
and then a userland patch. In this example 
we will use the traditional CVSup tool to 
update the entire system to a specific 
point in time. For this example we will 
use the FreeBSD-SA-09:07Zlibc security 
advisory (htto://security.freebsd.org/ 
advisories/FreeBSD-SA-09:07libc.asc) to 
guide our actions. 

This security advisory requires a 
patch to libc. We could have user binary 
updates to fix this, or applied the security 
patch manually. Instead we are going 
to update the whole system to a time 
when the patch was integrated into the 
FreeBSD source tree. This iS solution 1 
in the advisory. We take the time from 
the Corrected section of the advisory. 
Because our system is running FreeBSD 
71, we look for the date involving that 
version of FreeBSD. 
2009-04-22 14:07:14 UTC (RELENG 7 1, 
7.1-RELEASE-p5) 


This means we can update all of the 
source code on our system to a date 
after 2009-04-22 14:07:14 UIC to be 
sure the libc patch is applied. 

In order to do that, we will use CVSup. 
We need to create a supfile that controls 
how CVSup operates. Examples are on 
the system already (see Listing 16). 

Please replace INSERTYOURCH 
OICE.FreeBSD.org in this and_ later 
occurrences with the hostname of a real 
CVSup server as listed in the FreeBSD 
Handbook § (htto://www.freebsd.org/doc/ 
en/books/handbook/cvsup.htm)). 

We set the date to be in the minute 
after the correction time noted earlier. 

Now we are ready to use CVSup to 
update our source tree (see Listing 20). 

Notice the last date listed for updates 
to src/UPDATING is less than the time 
specified in our supfile. There are no 
updates beyond 2009-04-22 14:07:14 
UTC. This means CVSup is working as 
expected. In other words, we are getting 
updates to 71 RELEASE, but not newer 
than our specified correction date. 

Note that CVSup does not natively 
Support HTTP proxies. For information 
on how to use CVSup through a proxy, 
specifically mentioning FreeBSD, 
see my blog post Updating FreeBSD 
Using CVSup through HTTP Proxy (http: 
//taosecurity.blogspot.com/2009/ 
08/updating-freebsd-using-cvsup- 
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Listing 16. Example supfiles 


freebsd7# ls /usr/share/examples/cvsup 


README ports-supfile standard-supfile 


cvs-supfile refuse www-supfile 


doc-supfile refuse.README 
gnats-supfile stable-supfile 


We CieSerce oulie Own ILS welicke classe CoOmesincs = 


freebsd7# cat /usr/local/etc/freebsd7-example.supfile 
*default host=INSERTYOURCHOICE.FreeBSD.org 

*default base=/usr 

*default prefix=/usr 

~detaule release—-cvs, ceag-ha LENG 7 el 

*default delete use-rel-suffix 


*Jefault dare=2009.04 227,114.06 .00 


*default compress 


src-all 


Listing 17. Running CVSup 


freebsd7# cvsup -g -L 2 /usr/local/etc/freebsd7-example.supfile 
Parsing supfile "/usr/local/etc/freebsd7-example.supfile" 
Connecting EO Cvsups.FreeBSD.org 
Connected to cvsup3.FreeBSD.org 
Selkvyer SOuEwane verston, (sNAP io in 
Negotiating file attribute support 
Exchanging Colleceion antkormacrion 
Establishing multiplexed-mode data connection 
Running 
Updating collection sre-all/cvs 
Edit src/UPDATING 
Add delta 1.507. 
Ol 
ts wiles 
pO es Zee 
PO Zeal 2 


pele 
le? 


20097010720. 17 55 simon 
20097, Ol bs 2212927 samon 
2009), 026 VO .21 56.17 eperciva 
20097 03.23. 0020050 “cperciva 
2009045227. 14007 14 cperciva 


Add delta 


Z 2 
2 Z 
Rod delta Z Z 
Z 2 


Add delta 


(00 en > es Ol 


ik 
dL 
iL 
Rad) delta 
Edit (sre, contnib/bind?/lib/dns/openssldsay lime 
Adowdelivan dk. leo. 2 71.4. ZOU Ol Iolo ey Salmon 
Eire she, contrib; bind lib/dus/opensslmsa limk.ec 
Ada delivay iwi. 4 6.12009) 0113. 2 1.27 samon 
ee eC Heed... 
SCLAttrs Src/usr.sbin/pkg install] tkpkg,v 
Shutting down connection to server 


Finished successfully 
Listing 18. Commands to rebuild and install userland and kernel from source 


Cd weno 

make buildworld 

make buildkernel KERNCONF=FREEBSD7 
make installkernel KERNCONF=FREEBSD7 
meLBoeiacEer >) 


Met Keer Se ellellew@ tall 


mergemesrer 


reboot 
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Listing 19a. Demonstrating rebuilding and installing userland and kernel from source 


-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
11/25 02759329 Kensma th Exp 5 
+# SFreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 
ZOSI92 56 brooks Exp 

# 
=Kooe yo l sCbiwervGoO.. sUENCISY ySenqr4sihx/ 70707030; 
Charlie 47/ Pooks/ bin; cosh 
TROOET; O0e OF Oe ehar lier Ga) moots bamjfeom 
toor:*:3:0:0::0:0:Bourne-again Superuser: /root: 
daemon:*:1:1::0:0:Owner of many system processes: 
/©OOrs/ Us) Sbilma/ mo log im 

SOpebabor )* 52552010 s5ysrem 63 / 3/ i1Sst) som; no login 

Gey -2i 21, 3 Ge 

pop:*:638;6::0;0: Post Office Owner :/nonexiistent:/ usr 
sbin/nologin 

www:*:80:80::0:0:World Wide Web Owner:/nonexistent: 
jas) sbin/nologin 
mobody:*;65534:65534:70;0;Unprivileged user; / 
nonexistent: /usr/sbin/nologin 
-analyst:S1SFNYoY3Rk$1LVv/eHHIuLpz0OAEBAAYx0O/:1001:1001: 
20: 0ranalyst:/home/andlyst:/bin/sh 


Use 'd' to delete the temporary ./etc/master.passwd 


Use 'i' to install the temporary ./etc/master.passwd 


Use 'm' to merge the temporary and installed 
versions 


Use 'v' to view the diff results again 


Default is to leave the temporary file to deal with 
by hand 


How should I deal with this? [Leave it for later] d 
An alternative to deleting the temporary file and not 


accepting changes is to manually integrate changes to 


miles, SES tae MeSSRSD Hleincloo@ole tkeh= siMicOMmMecLOM Cin 


that, process. 


In the following we show sample output from the entire 


update process. 


Ereebsd?l# ca /usr/sre 

freebsd/# make buiidworld 

-e> World build started on Fri Aug 21) 09s 1s:41> EDT 
2009 


En Et sr / Ob) lst) sre, tmp 

mkdir =p /usr/obj/usr/src/tmp/ legacy/ usr/bin 
mkdir -p /usr/obj/usr/src/tmp/legacy/usr/games 
see CCl Ced os: 

===> etc/sendmail (all) 


rm -f£ freebsd.cfi 


m4 =D (Cr DIR —/usr/sre/etc/ sendmail/../../ contrib] 
sendmail/cf/ /usr/sre/etc/sendmail/../../contrib/ 
sendmail/cf/m4/cf.m4 /usr/src/etc/sendmail/freebsd.mc 
yo Lreebsd ac 

chmod 444 freebsd.cf 

mm =& £reebsd.submit.cer 

m4 =D Cy DIRY—/usr/sre/etc/ sendmarl/../ .2/ comtrib/ 
sendmail/cf/ jusu/sre/etc/sendmail/ 72/2 ./ 
contrib/sendmail/cf/m4/cf.m4 /usr/src/etc/sendmail/ 
freebsd.submit.mc > freebsd.submit.cf 


clameel 444 iriraecloscl. Stilemailic , Cie 


eee World build completed on Fri Aug 2 12734700 EDT 
2003 


freebsd7# make buildkernel KERNCONF=FREEBSD7 


>>> Kernel build for FREEBSD7 started on Fri Aug 21 
Ie 347238 EDT 2009 
===> FREEBSD7 


mkdix —-p /usr/oby/usr/ src/sys 


>>> stage 1: configuring the kernel 

=e eC ted: a. 

dy -Behareable ——-d -warn—conmmon —o) br izyd. ko. debug 
def eZ yok. kK lie 

ObCOpy ==cmly=keep-debug li zyd-koO-debug ir) 

ZG Oss ioe is 

Obi Copy —-stLeip-debug, --add-gnu-cdebug link—ir 5 
Zyd=kKO symbols if zyd.ko.debug ti yzyd.ko 


>>> Kernel build for FREEBSD7 completed on Fri Aug 21 
eee oe Pile OOS 


cd /usr/obj/usr/src/sys/FREEBSD7; MAKEOBJDIRPREFIX=/ 
usr/obj} MACHINE ARCH=i386 

~~ Pedi red... 

install —O7 hoor —¢d wheel. —m 555 if Z2yo: ko. symbols 
/boot/kernel 


kil@xrer boon, kermell 


freebsd7# mergemaster -p 
~“** Unable tO find meres database. Skipping auro= 


upgrade. 
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Listing 19b. Demonstrating rebuilding and installing userland and kernel from source, continued 


*k*x Creating the temporary root environment in /var/ 
tmp/temproot 

xxx /var/tmp/temproot ready for use 

2s Creating and populating directory SErucrure im 
/var/tmp/temproot 
*** Beginning comparison 

xxx Temp ./etc/master.passwd and installed have the 
same CVS Id, deleting 

xxx Temp ./etc/group and installed have the same CVS 
Id, deleting 
***x Comparison complete 
Do you wish to delete what is left of /var/tmp/ 
temproot? [no] 

xxx /var/tmp/temproot will remain 
grep: /etc/make.conf: No such file or directory 
*** Comparing make variables 
<*> Prom /ete/make.cont 
**k* From /usr/src/share/examples/etc/make.conf 
freebsd7# make installworld 
mcdir —p / tite/install tsuluZMs 
for prog in | awk cap mkdbo cat chilags chmod chown 
date echo egrep find grep install-info I1n lockf 
Make mkdir merece mv pwdomkdb xm sed sh syscrl reset 
true uname we zic; do cp ‘which Sprog' /tmp/ 
install.rsulHZ~M5; done 
-.,edited. .. 
===> etc/sendmail (install) 
cd /usr/src/etc/../share/man; make makedb 
makewhatis /usr/share/man 
makewhatis /usr/share/openssl/man 
im or /tmp/ insta li tsulHZM5 
freebsd7# mergemaster 
“x* Unable to find miree database. Skipping auto— 
upgrade. 
xxx The directory specified for the temporary root 
environment, 

/var/tmp/temproot, exists. This can be a security 
risk 1£ untrusted 
users have access to the system. 

Use 'd' to delete the old /var/tmp/temproot and 
continue 

Use 't' to select a new temporary root directory 

Use 'e' to exit mergemaster 

Default is to use /var/tmp/temproot as is 
How should I deal with this? [Use the existing /var/ 
tmp/temproot | 

**k*x Leaving /var/tmp/temproot intact 

*k*x Creating the temporary root environment in /var/ 
tmp/temproot 

xxx /var/tmp/temproot ready for use 

cs Crear ing wand POpuUlabling CireckOry SEructune am 
/var/tmp/temproot 
mtree -eU <-f /usr/src/etc/mtree/BSD.root.dist =p 
/var/tmp/temproot/ 
./obin missing (created) 


./ooot missing (created) 


./ooot/defaults missing (created) 

we PeOIESd a: « 

xxx Temp ./etc/login.access and installed have the 
same CVS Id, deleting 

xxx Temp ./etc/login.conf and installed have the same 
CVS Id, deleting 

xxx Temp ./etc/mac.conf and installed have the same 


CVS Id, deleting 


xxx Displaying differences between ./etc/motd and 
installed version: 
Sy Clee) Mora 2009-08-21 08:49:15.000000000 -0400 
ttt) / ete mora) 2009-06-71 13251-4000 000000- —0400 
@@ -1,4 +1,4 @@ 


-FreeBSD 7.1-RELEASE (GENERIC) #0: Thu Jan 1 14:37: 
Zo Une 2002 


+ PeOSB Dae 2. se (UNKNOWN ) 


Welcome to FreeBSD! 


Use 'd' to delete the temporary ./etc/motd 


Use 'i' to install the temporary ./etc/motd 


Use 'm' to merge the temporary and installed 
versions 


Use 'v' to view the diff results again 


Default is to leave the temporary file to deal with 


by hand 


How should I deal with this? [Leave it for later] i 


<< 2 / CEC/MOrd 1mstal led successtully 

xxx Temp ./etc/netconfig and installed have the same 
CVS Id, deleting 

xxx Temp ./etc/network.subr and installed have the 
same CVS Id, deleting 

a we CINESC as « 

xxx Temp ./.profile and installed have the same CVS 
Id, deleting 

**x* Temp ./COPYRIGHT and installed have the same CVS 
Id, deleting 


xxx Comparison complete 


xxx Saving mtree database for future upgrades 


Do you wish to delete what is left of /var/tmp/ 
temproot? [no] 


xxx /var/tmp/temproot will remain 


freebsd7# reboot 


freebsd/# uname -a 

FreeBSD freebsd7.localdomain 7.1-RELEASE-p5 FreeBSD 

1 Re test po ones Prt Aue Zinio oo 2) Bor 200" roe 
ot@freebsd7.localdomain:/usr/obj/usr/src/sys/FREEBSD7 
1306 
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Listing 20a. FreeBSD-SA-09:09.pipe security advisory 


ilaSla2 Slav/AIL 


FreeBSD-SA-09:09.pipe 


Security Advisory 


The FreeBSD Project 


Lope: local anrormarivon disclosure via 


direct pipe writes 


Cakegory : Core 

Module: kern 

Announced: Z2009=06=10 

Credits: Pieter de Boer 

Affects: All supported versions of FreeBSD. 
Corrected: 2009-06-10) 10: le TE UrC (RE EBING i) 
7] 25 TABI) 


2009-06-10 10:31:11 UTC (RELENG 7 2, 
7. 2-RELEASE-p1) 

2009-06-10 10:31:11 UTC (RELENG 7 1, 
7. 1-RELEASE-p6) 

2009-06-10 10:31:11 UTC (RELENG 6, 
6.4-STABLE) 

2009-06-10 10:31:11 UTC (RELENG 6 4, 
6. 4-RELEASE-p5) 

2009-06-10 10:31:11 UTC (RELENG 6 3, 
6. 3-RELEASE-p11) 


For general information regarding FreeBSD Security 
Advisories, 

including descriptions of the fields above, security 
branches, and the 

following Sections, please visit <URMehtips) / 


security.FreeBSD.org/>. 


Te Background 

One of the most commonly used forms of interprocess 
communication on FreeBSD and other UNIX-like systems 
is the (anonymous) pape. In this mechanism, a pair of 
file descriptors is created, and data written to one 
descriptor can be read from the other. 

FreeBSD's pipe implementation contains an optimization 
Known aS: “direct writes.) Im this, Optimization, 
rather than copying data into kernel memory when the 
write(2) system call is invoked and then copying the 
data again when the read(2) system call is invoked, 
the FreeBSD kernel takes advantage of virtual memory 
mapping to allow the data to be copied directly 


between processes. 


II. Problem Description 
An integer overflow in computing the set of pages 
Containing daizal wo be, copied Can resale an va rcual—=ro— 


physical address lookups not being performed. 


iii. impace 

An unprivileged process can read pages of memory which 
belong to other processes or to the kernel. These may 
COntaim inrormarion which is sensitive in itseli; or 
May CONbcamm passwords: Or OCryporographacG keys whieh can 
be indirectly exploited to gain sensitive information 


GQie aCceess z 


Ive Workaroune 

No workaround is available, but systems without 
untrusted local users are not vulnerable. System 
administrators are reminded that even if a system is 
not intended to have untrusted local users, it may 
be possible for an attacker to exploit some other 


vulnerability to obtain local user access to a system. 


Ve SoluiELom 

Perform one of the following: 

1) Upgrade your vulnerable system to 6-STABLE, or 
7-STABLE, or to the RELENG 7 2, RELENG 7 1, RELENG_ 
64, O© RELENG 603 secumivy branch dared asver Ene 
correction date. 


2) TO pakch your present: system=: 


The following patches have been verified to apply to 
FreeBsDi 6.3, 6.4, I.i, and 7.2 systems. 

a) Download the relevant patch from the location 
below, and verify the detached PGP signature using 
Vou PGP Wiwiey. 

# fetch http://security.FreeBSD.org/patches/SA-09: 
09/pipe.patch 

# fetch http://security.FreeBSD.org/patches/SA-09: 
09/pipe.patch.asc 

b) Apply the patch. 

# cd 7usr/sre 

# pateh < /path/to/patch 

c) Recompile your kernel as described in 

<URL: http://www. FreeBSD. org/handbook/kernelconfig.htm1> 


and reboot the system. 


VI. Correction details 
The following list contains the revision numbers of 


Sacla ile iMac was Coricecred ain WieeSeeBSD-. 


CVS 
Branch Revision 
Pach 
RELENG 6 
src/sys/kern/sys pipe.c Tal isla canes 
syeedi ted: 2. 
RELENG_7 
src/sys/kern/sys pipe.c iN al Ou ee 
RELENG 7 2 
Ure relay aoe oe 
NS ere lain Varies, 
ilies a stacey 


src/UPDATING 
src/sys/conf/newvers.sh 


src/sys/kern/sys pipe.c 


BSD 1/2010 


through.html). Now we are ready to 
execute the commands required to 
rebuild the system using source code. 
See Listing 18 for instructions. 

Note in the following output, that 
when asked whether to install a 
change using the i input, we usually 
answer yes. The main exception 
invovies overwriting files used for 
authentication, like /etc/passwa. In the 
event a file like that is overwritten, the 
administrator can log in at the console 
as root (with no password), and then 
manually reinstall user accounts and 
set passwords. 


Listing 20b. FreeBSD-SA-09:09.pipe security advisory 


RELENG 7 1 
src/UPDATING 
src/sys/conf/newvers.sh 


src/sys/kern/sys pipe.c 


Subversion: 


Branch/path 


stable/6/ 
releng/6.4/ 
releng/6.3/ 
stable/7/ 
releng/7.2/ 
releng/7.1/ 


Vil. References 


Ihe Vatest revision of this advisory is) available ar 


http://security.FreeBSD.org/advisories/FreeBSD-SA-09: 


VS. pipe. asc 


Version: GnuPG v1.4.9 (FreeBSD) 


LEYEARECAAYFAkovjNOACgkQFdaIBMps37JkXwCgmLCEMOMAETI XRo 


J220zwZhMKn 
f+gAnlbZyLMhf£ZU7TIOxxhizwetDwMVI 
=J37B 


Listing 21. Supfile for specific CVS date 


freebsd7# cat /usr/local/etc/freebsd7-example. supfile 
*default host=INSERTYOURCHOICE.FreeBSD.org 


*default base=/usr 
*default prefix=/usr 
“detaule releadse—-evs eag-halLunGy 7 i 


*default delete use-rel-suffix 
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In the following example, we do NOT 
install the file provided by the upgrade, 
because doing so would delete our 
/etc/master.passwa file (see Listing 19). 

The system is now’ completely 
updated to the time specified in the 
supfile. However, the compilation date for 
the kernel shows when the kernel was 
compiled. 


Using Csup to Apply Patches 

In the last example we used the traditional 
CVSup tool to apply patches to a system. 
Most FreeBSD administrators are very 
familiar with using that tool. However, 


*default compress 


sec-all 
oO Re Seo 
Tie OZ A 
lll pc hepa ree eas 


example.supfile 


since FreeBSD 6.2, a C replacement 
called Csup by Maxime Henrion has 
been available. In this example we will 
use the new Csup tool to update the 
entire system to a specific point in time. 
For this example we will use the FreeeBSD- 
SA-09:09.pipe.asc security advisory (http:/ 
/security.freebsd.org/advisories/FreeBSD- 
SA-09:09.pipe.asc) to guide our actions 
(see Listing 20a and 20b ). 

This security advisory requires a 
patch to the kernel. We could have user 
binary updates to fix this, or applied the 
security patch manually. Instead we are 
going to update the whole system to a 


~Jetaulte. dare=2009. 06 10. 10.32.00 


Listing 22. CSup to a specific date 


freebsd/7# csup -g -L 2 /usr/local/etc/freebsd7- 


Parsing supfile "/usr/local/etc/freebsd7- 


example.supfile" 


Establishing multiplexed-mode data connection 


Revision Connecting to cvsup3.FreeBSD.org 
=SSeshsS = =sS=== Conmected tO. 128 .31.0.26 

BLIGE OS Server SsOlEware version, SNAP (6. lh 
fiaallis’ Soo ae iG) Negotiating file attribute support 
tee Se os. ixehanging collection ti formarion 
miosis 93 
eS SS Running 
iS Sree he: Updating collection sre=all/cvs 


Edit src/UPDATING 


AdGedelica We 5072. 1s..2.9 2700S. 06r L071 e oil, Jl 


cperciva 


cperciva 


Hetiiyere/ Comer, MEp/MiEpd/ MED er yprO. ¢ 
Addvdeliwa dail ole. leo 200g 206.0. LOS abla 


Edit src/sys/conf/newvers.sh 


Ado sdelica i.e. Oo. IO 2009.06. Oe Oe Sel iheepereiwa 


Bait 


eae 


src/sys/kern/sys pipe.c 
AdG@ldeliea ie ol 22a. ZOOS S06. LO Sl epercuwwa 


Sre/sys/netiner6/ in6.c 


AdGgCdedivardi (3.2.4.2 .2 2009 062.10 0. 3. wi epemciva 


Shutting down connection to server 


Finished successfully 


Listing 23. Uname after updating to specific date 


freebsd/7# uname -a 


FreeBSD freebsd7.localdomain 7.1-RELEASE-p6 FreeBSD 


_ Ree ASsh-po fil. Mr Aug Zinio 35575 2p? 20090 roe 


ot@freebsd/.locaidomain: /usr/obj/usr/src/sys/ PREEBSD/ 
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Listing 24. Available binary updates 


Index of / 

Name Last Modified Size Type 
Parent Directory/ = Directory 
D5 Ra LEASE 2009 -dan—-0G ts-51-40 7 — Directory 
6. 0-RELEASE/ 2009 dam—06 7 lors 40) Directory 
6- RELEASE / 2003 =dan—UG bs. 3 h=4 5 — Directory 
6.2-RELEASE/ Z2009-> Jan—06 15.31.40) — Directory 
6. 3-RELEASE/ 209 > dl oO. ho =O Directory 
6.4-RELEASE/ 2002 = J 2a o.oo Directory 
770-RE LEASH 2009=Apr—22 13:44:47 = Directory 
7. 1=BETA/ Z009-Jan—06 Is <sl2e40>— Directory 
7.1=BETA2/ 20090 [Jan—06) ls:s1-40 — Directory 
7,1=RC1/ 2009=Jan-06 15:31:40 = Directory 
7, 1=RC2/ 2009 Jan—07 ZUG ls — Directory 
7, J=RELEASE/ 2009>Jul=29 Le ioe -— Directory 
1) Boreal Z2003=Apr-Ol 17 244223 = Directory 
t 22 Rely 2008 =Apr=22 4 00e s ie— Directory 
t.2=RCZ/ 2009 =hpr=2A tae les42 Directory 
7 .2-RELEASE/ 2009] Jul 2 ho oe Directory 
8.0-BETA1/ 2009-Jul—30 06:04:42 — Directory 
8-0-BETA2/ 2009> Jl 30 0G 04 Si Directory 
8.0-BETA3/ 2009 Aig—2 2 eso Directory 
to 7. RE LEASH) 2003 = Jan OG. an ae Directory 
tO-i-2- eH TAI) 2008 Api Oly 3e- 0G = Directory 
1O= fe 2a Cl 2009S Api G6 ae 22S a Directory 
ibO= | 22 = C2) Z200S3=Apr=24 12-04-41 — Directory 
tO 7.2 Ra LEASH) 2009-May—-02 7517-45212 — Directory 
Go-3 . 0=PE TAI / 2009-08 lr 0G226)— Directory 
to-8.0-BETA2/ 2003-7 ieee Directory 
to-8 .0-=BEWA3/ 2009 -Aug—23 22704257 = Directory 


80BETA2.tar 
8O0BETA3.tar 


updat 


Listing 25. 


HOSE 7 ILieS 


FreeBSD fbsd71toS.taosecurity.com 7.2-STABLE FreeBSD 7.2-STABLE #0: Sat 
Pug 22 23°0273008bT 2009 


Z20O9- Julio Lo24s<el6 1.76.) applicat won, x-rar 
2009=Aug-23 22:38:23 1.5G application/x-tar 
es.tar 2009=Jul=30 06:32:07 13.9M application/x-tar 


Uname output for 7-STABLE and Failed FreeBSD Update for STABLE 


S# uname -a 


SEC/SYS/FPREEBSD/ i386 


HOSE! H LIES 


Looking up updare. FreebsD. org mirrors... 


Fetching public key from update5.FreeBSD.org... 


S# freebsd-update -v debug fetch 
Ss MUurrors Toumd. 


eel alee Oty 7 


update5.FreeBSD.org/7.2-STABLE/i386/pub.ssl: Not Found 
failed. 

Listing 26. Supfile for FreeBSD 7.2 

*default host=INSERTYOURCHOICE.FreeBSD.org 

*default base=/usr 

*default prefix=/usr 

“Cetamlp weliease—evs Pag-heluENnG (5200 

*default delete use-rel-suffix 

*default compress 

sre—all 


BSD 1/2010 


root@ifbsd/1tos.taocsecurity.com:/wsr/obj/usr/ 


time when the patch was integrated into 
the FreeBSD source tree. This is Solution 
1 in the advisory. We take the time from 
the Corrected section of the advisory. 
Because our system is running FreeBSD 
71, we look for the date involving that 
version of FreeBSD. 


2009-06-10 10:31:11 UTC (RELENG 7 1, 
7. 1-RELEASE-p6) 


This means we can update all of the 
source code on our system to a date 
after 2009-06-10 10:31:11 UTC to be sure 
the kernel patch is applied. 

In order to do that, we will use Csup. 
We will modify our earlier supfile that 
controls how Csup operates. 

We set the date to be in the minute 
after the correction time noted earlier. 

Now we are ready to use Csup to 
update our source tree (see Listing 22). 

Now we can follow the same 
process as seen in the previous example 
(see Listing 18). 

After rebooting, you see the new 
version of the FreeBSD kernel is installed 
(along with the userland). 

As you can see, Csup is functionally 
equivalent to CVSup, and Csup is 
packaged with the FreeBSD OS. 


FreeBSD 

Update's Available Versions 

In the first section of this paper we saw 
FreeBSD Update used to keep a FreeBSD 
72 system up-to-date. If you need to 
understand what sort of updates or 
upgrades are available for FreeBSD using 
freebsd-update, you can manually inspect 
one of the update sites. At the time of 
writing, visiting http://update2.freebsd.org 
displayed the following (see Listing 24). 

Take the 72-RELEASE/ directory as 
an example. This means that FreeBSD 
Upgrade knows how to. start with 
FreeBSD 72 RELEASE (as we started 
the article) and update or upgrade to the 
to- directories. FreeBSD Update does not 
have the capability to update from 4.x, 
for example, or from any STABLE version 
(e.g, 22-STABLE). 

For example, if you tried to use 
FreeBSD Upgrade to update a 7.2-STABLE 
system, it will fail (see Listing 25). 

If you are having trouble using 
FreeBSD Update, it's helpful to activate 
the ’-v debug’ switch to see what is 
happening. 
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Listing 27a. FreeBSD Update from 7.1 to 7.2 


freebsd7# freebsd-update upgrade -r 7.2-RELEASE 
Looking up updace. FreeBSD .org mirrors... 3 mirrors found. 
Fetching public key from update4.FreeBSD.org... done. 


Fetching metadata signature for 7.1-RELEASE from 


update4.FreeBSD.org... done. 
Fetching metadata index... done. 
Fetching 2 metadata files... done. 
Inspecting system... done. 


The following components of FreeBSD seem to be 


Lia Sic a. IL ILe@el = 


kernel/generic src/base src/bin src/cddl src/contrib 
Ssre/Crypto sre/etc 

Sre/games srce/gqnu sre/include sre/krb> sre/lib sro/ 
libexec src/release 

src/rescue stce/sbin src/secure src/share src/svys sirc/ 
tools sxc/ubin 

src/usbin world/base world/dict world/doc world/games 
world/info 

world/manpages world/proflibs 

The following components of FreeBSD do not seem to be 
installed: 

world/catpages 

Does this look reasonable (y/n)? y 

Fetching metadata signature for 7.2-RELEASE from 
update4.FreeBSD.org... done. 

Fetching metadata index... done. 


Fetching 1 metadata patches. done. 


Applying metadata patches... done. 

Fetching 1 metadata files... done. 

Inspecting system... done. 

Fetching files from 7.1-RELEASE for merging... done. 

Preparing to download files... done. 

Ferchimng 30059 parenes. nw. Oe are ere auc 0) oe ate CHC cae ee, 
OO Grae Ol nese aan eens 

-» veduved. ..: 


em 29S D0 ato O Oreo Oe. 2 O20 er 24S Oe er OO) 
we ZIA Ore AOU kee Oe. One. 


Applying patches... done. 
Fecehing 2273 mles... done. 
Attempting to automatically merge changes in files... done. 


The following changes, which occurred between FreeBSD 
J. 1-RELEASE and 


FreeBSD 7.2-RELEASE have been merged into /etc/group: 


=== Current version 
+++ new version 

GG he ail ets) ice 
=# SFreeps): srce/ete/group,;v 1.35.6.1 2008/11/25 02: 
59:29 kKensmach Bxp Ss 
+# SPreebob: srevetc/group;v 1.35.8.1 2009/04/15 03. 
14:26 kensmith Exp S$ 

# 

wheel: *:0:root, analyst 

daemon: *2 1: 

kmem:*:2: 

Sioa os 


Does this look reasonable (y/n)? y 


The following changes, which occurred between FreeBSD 
7.1-RELEASE and 


FreeBSD 7.2-RELEASE have been merged into /etc/ 


master.passwd: 
=== Current VersLon 
+++ new version 
Gl SG als (éleé 
-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
11/25 02759729 kenmsmitch Exp 3s 
+# SFreeBSD: src/etc/master.passwd,v 1.40.20.1 2009/ 
04715 0s514:26 Kensmith Exp 5 
# 
POOEs SIS xy jmCDHUSFEOCCNGRiI ro 9CTROdEBWOO: 0-07: 0-0: 
Charlie &<7/ rook; oin/ csi 
£oor; *:020::0:0:Bourne-again Superuser:/ rook: 
daemon: *:1:1::0:0:Owner of many system processes: 
/©OGOk:/ lst, sban/nologin 
Operator s*:275;70;0:Sysrem &3/7/usr/sbain/nologin 
Does this look reasonable (y/n)? y 
The following changes, which occurred between FreeBSD 
1 A REE ASE and 


FreeBSD 7.2-RELEASE have been merged into /etc/passwd: 


=== Curren: Version 
+++ new version 

eG SiG silt ie 

-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
d1/25 025592290 Kemsmith Exp Ss 
+# SFreeBSD: src/etc/master.passwd,v 1.40.20.1 2009/ 
04715 03714726 kensmith Exp S 

# 

BOOks 90 pUvCheril te G77 rook: / bin col 
toor:*:0:0;:Bourne-again Superuser: /root: 
daemon:*:1:1:Owner of many system processes:/root: 
jus /sbiny ne login 

Operakors*:275:Sysrem &:/ 7/ust/sbin/ nologin 
Does this look reasonable (y/n)? y 
The following files will be removed as part of updating 
EOo?.2-hRE aA St— po: 

/BOOr/ Kerme ly ati Wal: ke 

+) seO0lted.. 

/wsr/SrC/sys/ym/vm pageq.c 
The following files will be added as part of updating 
EO. (22 -RE LEASH —ps: 

/boot/kernel/cpuctl.ko 

re COLted sa: 

/usic/sre/ usr sbin/makers/walkec 
The following files will be updated as part of updating 
EOo (/.27-REMLEASH OS 

/ esinae 

/.profile 

/COPYRIGHT 

ee eedlted os x 

/var/yp/Makefile.dist 
freebsd7# freebsd-update install 
Installing updates... 


Kernel updates have been installed. Please reboot and 
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FreeBSD Update to Upgrade 
from One Minor Version to 
Another 

You've seen how CVSup and Csup can 
be used to update the OS and userland 
according to the tags in a supfile. You 
could easily continue this process if you 
wished to upgrade from FreeBSD 71 
to FreeBSD 72 RELEASE. For example, 
your supfile would say the following (see 
Listing 26). 

Notice we removed the date tag seen 
earlier. We also changed the release tag 
to indicate RELENG_7_2_0, which would 
be the same FreeBSD 72 shipped on 
CD. 

It would make more sense to use 
RELENG_7_2 so the new system would 
be tracking the security branch. 


1210110) 


installing updates. 

freebsd7# reboot 

freebsd7# freebsd-update install 
Installing updates...done. 


freebsd/7# uname -a 


sys/GENERIC i386 
Listing 28. Supfile for FreeBSD 7-STABLE 
*default base=/usr 


*default prefix=/usr 


~“Gdenculn nellease-evs tag—-RElLENG 7 


*default delete use-rel-suffix 
*default compress 


srce-all 


Listing 29. Uname output for FreeBSD 7-STABLE 


freebsd/7# uname -a 


kernel 


FreeBSD freebsd7.localdomain 7.2-RELEASE-p2 FreeBSD 


root@i386-builder.daemonology.net:/usr/obj/usr/src/ 


*default host=INSERTYOURCHOICE.FreeBSD.org 


FreeBSD freebsd7.localdomain 7.2-STABLE FreeBSD 7.2- 
STABLE, #27 Sau Aug 22 17212742 £Dr 2009 
7. loCaldomain:/7USL/ Ob] /USE/SfC/SVS/ FREEBSD/ 1386 


Listing 30. Uname for system running FreeBSD 7-STABLE with desired 


It would be convenient if we could use 
binary upgrades via FreeBSD Update. It 
turns out that in this situation, we can do 
so. These are the basic commands: 


freebsd-update upgrade -r 7.2-RELEASE 
freebsd-update install 
reboot 


freebsd-update install 


Note that this process requires plenty of 
free space in the /var partition. If you 
have more free space elsewhere (say 
in /usr), you can specific an alternative 
work directory for freebsd-update using 
the -a switch, e.g., 


freebsd-update -d /usr/db/freebsd- 
update upgrade -r 7.2-RELEASE 


Listing 27b. FreeBSD Update from 7.1 to 7.2, continued 


1386 


"/usr/sbin/freebsd-update install" again to finish 


Ensure the specified directory exists 
before starting FreeBSD Update. 

In the following example, we upgrade 
our FreeBSD 7.1 system to FreeBSD 72 
using FreeBSD Update. FreeBSD Update 
will upgrade the system to the latest 
point in the security branch. 

As you can see, we used FreeBSD 
Update to bring our FreeBSD 7.1 system 
to the latest security update for FreeBSD 
72. Notice we are running a GENERIC 
kernel again (see Listings 27a and 27b). 


STABLE: The End of the Line 
for a Single Version 

The end of the line in the FreeBSD 7x tree is 
72-STABLE. The STABLE tree incorporates 
not only bug fixes and security patches, 
but upgrades that are Merged From 


Listing 31. Uname for system that needs to update its kernel 


freebsd/S# uname -a 


FreeBSD freebsd7S.taosecurity.com 7.2-STABLE FreeBSD 


Ts2=STABLE Gz? Sat Aug 22 1/712542 2Dr 2009 


7, 2-=RELBASE-p2 #05 Wed Jun 24 0075/7744 UTC 2009 


root@fre 


ebsd7.localdomain: /usr/obj/usr/src/sys/FREEBSD/ 13866 


Listing 32. Mounting remote /usr/src and /usr/obj using NFS 


meeSelSaie Mounn == ES tion sae sOe/ ust Sra 7uSst” 


Sa 


foley 


freebsd7S# mount 


freebsd/S# moune =G mes 172.16. 134, 1307 /usr/oby /usz/ 


jaev/adGsla on / (urs, local) 

devfs on /dev (devfs, local) 

/dev/ad0slf on /home (ufs, local, soft-updates) 
/dev/ad0slg on /tmp (ufs, local, soft-updates) 
/dev/ad0sld on /usr (ufs, local, soft-updates) 
/dev/ad0sle on /var (ufs, local, soft-updates) 
N72 Nesis42 120: /usx/ see on /uUsr/ sre (nis) 
72216 Wea 30s / isn /oba Om (ust) coy (mts) 


root@freebsd 


Listing 33. Supfile for CURRENT 


*default host=INSERTYOURCHOICE.FreeBSD.org 


*“Gefaule base=/ use 


*default prefix=/usr 


fosd71toS# uname -a 


FreeBSD fbsd71ltoS.taosecurity.com 7.2-STABLE FreeBSD 


*default release=cvs tag=. 


*default delete use-rel-suffix 


/-2-SIABLE $0. Can Aug 2223202530. BP 20090 root@fb *default compress 
SO/1£0S . tacsecurity.com:/USL/OD]/ USL/ SLC/SVS/ FREEBSD / src-all 
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CURRENT (aka MFC’d). STABLE is a 
constantly moving target, marked only by 
the date and time that an administrator 
uses CVSup to sync with the STABLE tree. 
For this reason, security advisories, such 
as FreeBSD-SA-09:12.bind, will list the 
date and time at which a STABLE branch 
incorporates a security fix: 

Corrected: 2009=01T=26 25259422 UTC 


(RELENG 7, 7.2-STABLE) 


lf your STABLE is older than the date 
specified, your system is vulnerable. 
Compare that method of gauging a 
system’s exposure to the patch level of 
running the security branch. From the 
same advisory: 


2009-07-29 00:14:14 UTC 
(RELENG 7 2, 7.2-RELEASE-p3) 

Here we also have a timestamp, but it’s 
easier to see that 72-RELEASE-p3 is 
patched for the bind vulnerability. 

For demonstration purposes, we will 
upgrade our FreeBSD 72-RELEASE-p2 
system to STABLE by modifying our supfile 
with these contents (see Listing 28). 

Next we follow the commands 
introduced earlier to upgrade to /72- 
STABLE. Begin with: 


csup -g -L 2 /usr/local/etc/freebsd7- 


example.supfile 


Then continue by using a new copy of the 
GENERIC kernel configuration file. There 
may be changes introduced in STABLE 
that are not reflected in your own kernel 
configuration file. 


cp /usr/src/sys/i386/conf/GENERIC 
Juser/src/ sys/i386/cont/FREEBSD? 


Now we follow the commands we've 
seen earlier (see Listing 18). 

When done you will be running FreeBSD 
72-STABLE. When done our uname output 
appears as follows (see Listing 29). 

Notice the output says 72-STABLE, 
although the CVS tag used was /_ 
RELENG. 


Building a Userland and Kernel 
on One System and Installing 
on Another 

In the following example, we will show 
how to install the userland and kernel 
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built on one system onto a second 
system. The server with the desired 
userland and kernel is fosd/1toS, or 
172.16.134.130 (see Listing 30). 

Since we are using NFS, the server 
has the following IN /etc/rc.conf. 


rpcband enable="YES" 


nis Server eGnable="Tho" 


The server also has the following /etc/ 
exports file. 


fbosd71toS# cat /etc/exports 


jusx -alldirs 


The client that will receive the new 
userland and kernel is freebsd7S (see 
Listing 31). The client has the following in 


feces re. cont. 


nis client enable="YES" 


”) Index of / - Mozilla Firefox 
File Edit 


@ cx 


BE Index of / 


Index of / 


e 5.5-RELEASE/ 
@ 6.0-RELEASE/ 
e 6 1-RELEASE/ 
e 6.2-RELEASE/ 
e 6. 3-RELEASE/ 
e 6.4-RELEASE/ 
e 7 0-RELEASE/ 
e 7.1-RELEASE/ 
e 7.2-BETAI/ 

e 7.2-RCIH/ 

e 7,.2-RC2/ 

e 7.2-RELEASE/ 
e 8.0-BETAI/ 

e §.0-BETA2/ 

e 8.0-BETA3/ 
6.0-BETA4/ 
to-7.1-RELEASE/ 
to-7.2-RELEASE/ 
to-8.0-BETA1/ 
to-8.0-BETA2/ 
to-8.0-BETA3/ 
to-8.0-BETA4/ 


Figure 3. FreeBSD binary updates 
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View History Bookmarks Tools 


First we mount /usr/src ANd /usr/ob3 from 
the server to the client using NFS (see Listing 
32). Make sure we are now in /usr/src. 


freebsd7S# cd /usr/srec 


At this point we can follow the instructions 
we saw earlier, starting as shown. 


make installkernel KERNCONF=FREEBSD7 
mergemaster —p 
make installworld 


merqemaster 
Before reboot | umount the NFS mounts. 


freebsd7S# pwd 

/root 

freebsd7S# umount /usr/ports 
freebsd7S# umount /usr/src 
freebsd7S# umount /usr/obj 


reboot 


Help 


GY (L hitpsfundetes treebsd.oral V7 | 


- 
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21 


22 


get started 


Listing 34a. FreeBSD Update from 7.1 to 8.0-BETA3 


fbsd71-to-8# uname -a 

PreebsD £osd71l—Lo—6..cacsecurity.com 7, 1/=RELEASE 
PreepeD 7. T=RELEASE. 407 Thu Jen. 2 1493/7725 UTC 2009 
root@logan.csé.buffalo.edu:/usr/obj/usr/sre/sys/ 
GENERIC i386 

tpedileto=87 seeenv BITe BROW mere 77 1721622 Ae ize 
fbsd71-to-8# freebsd-update upgrade -r 8.0-BETA3 


Loeking Up update. PreeBsD Org Mirrors... 3 mirrors 
TLOuUme. 
Fetching public key from update5.FreeBSD.org... done. 


Fetching metadata signature for 7.1-RELEASE from 


update5.FreeBSD.org... done. 
Fetching metadata index... done. 
Fetching 2 metadata files... done. 
Inspecting system... done. 


The following components of FreeBSD seem to be 


LiMSsica. I ILeel 


kernel/generic world/base world/dict world/doc world/ 
games world/info 

world/manpages 

The following components of FreeBSD do not seem to be 
installed: 

sre/base sre/bin Src7 cddl) sre/ contrib: sre/ crypto src/ 
etc src/games 

srec/gnu sre/include srce/krb> src/lib sre/libexec src/ 
release src/rescue 

sre/scbam sme/ secure suc) sane src/sys src) pools sre) 
“bin sre/usbin 

world/catpages world/proflibs 

Does this look reasonable (y/n)? y 

Fetching metadata signature for 8.0-BETA3 from 
update5.FreeBSD.org... done. 

Fetching metadata index... done. 


Fetching 1 metadata patches. done. 


Applying metadata patches... done. 

Fetching 1 metadata files... done. 

Inspecting system... done. 

Fetching files from 7.1-RELEASE for merging... done. 


Preparing to download files... 

$2,ed1ted..< 

FOZ ee SOO U eae OOF Orns OO OU) Ones 

Applying patches... done. 

Fetching 750 files... done. 

Attempting to automatically merge changes in files... 
done. 

The following changes, which occurred between FreeBSD 


7, 1=RELEASE and 


FreeBSD 8.0-BETA3 have been merged into /etc/group: 
=== Current version 
+++ new version 
GGs alc, 1G Ce 
=# SPreessD: sre7etc/qroup,v 1,35.6.1 2008711725 02: 
59229 Kensmith Exp 3 
+ SFECeCBSD: sre/ecc/group,v 1.35.10.,1 2009708703 08: 
13°06 Kensmith Exp 3 

# 


wheel:*:0:root,analyst 

Gaemoms * = is 

kmem: *:2: 

Svst (ro: 
Does this look reasonable (y/n)? y 
The following changes, which occurred between FreeBSD 
7. -RE LEASE. amd 


FreeBSD 8.0-BETA3 have been merged into /etc/ 


master.passwd: 
=== CUrrEnE Version 
+++ new version 
Ge v=, 6 +176 CC 
-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
1725 02259229 kensmith Lxp < 
+# SFreeBSD: src/etc/master.passwd,v 1.40.22.1 2009/ 
O8703 08213706 kensmith Exp > 
# 
rool; Sl SkPe IUpDPossOAlLOcosiglx9tOVgsal:0;02 70:0: 
Charlie ¢:/ root; /bin/csm 
poor: * 3070220: 0-Bourne-again Superusers/ rook ; 
daemon: *:1:1::0:0:Owner of many system processes: 
/eeon:/ usr, sbain/ nollogim 
Operetors*+2:5:-0:0:System 6¢+/+/usr/sbin/nologin 
Does this look reasonable (y/n)? y 
The following changes, which occurred between FreeBSD 
ek ei i ero ancl 


FreeBSD 8.0-BETA3 have been merged into /etc/passwd: 


=== CUrrenk Version 
+++ new version 
@@ -1,6 41,6 @@ 
-# SFreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/ 
HI 25 02259229) Kensmith Exp s 
+# SFreeBSD: src/etc/master.passwd,v 1.40.22.1 2009/ 
O8/03 08:13:06 kéensmith Exp $ 
# 
BOO. 707 0 Cliacime Wo rooms ban/jcesm 
toor:*:0:0:Bourne-again Superuser:/root: 
daemon:*:1:1:Owner of many system processes:/root: 
(ust) Soin mologim 
Operator: *2275:;System &:/+/Uusr/sbin/nologin 
Does this look reasonable (y/n)? y 
The following files will be removed as part of updating 
EO VC, OBE IAS = D0: 
jboot/ kermel/ath hal. ko 
/boot/kernel/ath hal.ko.symbols 
/boot/kernel/ath rate.ko 
-weedl Pedy a. 
The following files will be added as part of updating 
bOG.) BE iAS—DUls 
/DOOL/ GpizZtEsboot 
/boot/kernel/accf dns.ko 
..-.edited... 
The following files will be updated as part of updating 
Eo on 0-BE PAS pu: 
i yes igiae 


/ .profile 
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When done we check the uname output 
on the client to see that it matches the 
server from whom it received its kernel 
and userland. 

That kernel matches the one on the 
server, SO we just successfully installed 
a userland and kernel built on fosd71toS 
onto a client, freebsd 7. 


What Comes Next? 

Beyond SIABLE comes CURRENT, or 
HEAD, or tag=. in a supfile. CURRENT 
represents the next version of FreeBSD. 
For example, while FreeBSD 7x is the 
STABLE version, CURRENT is being 
prepared as FreeBSD 8.0. At the time 
of writing, FreeBSD 8.0 is currently in 
BETA. Although testing the next version 
of FreeBSD is encouraged in order to 
support the project and to ensure it works 
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on your platforms, | do not recommened 
running CURRENT in production. 

One could use CVSup or Csup to 
update to CURRENT using the following 
supfile (see Listing 33). 

However, when | want to try CURRENT, 
| prefer to start with a snapshot (http: 
//wwwreebsd.org/snapshots/) and either 
use the snapshot or CVSup to CURRENT 
from the snapshot. A snapshot is a version 
of FreeBSD from various branches. For 
example, at the time of writing, snapshots 
for FreeBSD 6.4-STABLE, 72-STABLE, and 
8.0-CURRENT are posted. 


Upgrading from One Major 
Version to Another Major 
Version Using FreeBSD Update 
In the final example for this article, | 
will show how to use binary upgrades 


Listing 34b. FreeBSD Update from 7.1 to 8.0-BETA3, continued 


/COPYRIGHT 
«eeCdiLted..~. 
/var/named/etc/namedb/named. root 


/var/yp/Makefile.dist 


fbsd71-to-8# freebsd-update install 
installing updates... 


Kernel updates have been installed. 


Please reboot and run 


"/usr/sbin/freebsd-update install" again to finish installing updates. 


fbsd7/1-to-8# reboot 


fbsd71-to-8# freebsd-update install 
ins talline, wpdakes.... 


Completing this upgrade requires removing old shared object files. 


Please rebuild all installed 3rd party software 


installed from the ports tree) 
ine tale! 


again tO tnish anstalling updates: 


fbsd7 l=to=67 (PKG im io 
cmidwanch> 0.2.10) i 
interwebs 
screen—4.0-3 6 


fosd/1l=to-87 Ca 7Vvar/db7pKg 


(e705, sOrOogheams 


and then run "/usr/sbin/freebsd-update 


Watches the output from a command at specified 


A multi-screen window manager 


tbsdvyl=to=-8% pkg delete cmdwacch-0.2.0 17 


fbsd71-to-8# pkg delete screen-4.0.3 6/ 


fbsd7/1-to-8# reboot 


fbsd71-to-8# uname -a 


FreeBSD fbsd71-to-8.taosecurity.com 8.0-BETA3 FreeBSD 8.0-BETA3 #0: Sat 


Aug 2202. 36250 UTC 2009 


SEC/SYS/GENERIC 1386 


root@almeida.cse.buffalo.edu:/usr/obj/usr/ 
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via FreeBSD update to upgrade from 
FreeBSD 71 RELEASE to FreeBSD 8.0 
BETAS. | follow the instructions posted 
in the announcement for BETAS (http: 
//lists.freebsd.org/pipermail/freebsd- 
stable/2009-August/051628.html). = By 
setting a proxy we can have the proxy 
provide copies of the updates to similar 
systems that might also need to perform 
the upgrade, as well as simply use a 
proxy to reach the Internet. 

PLEASE NOTE that you should follow 
the instructions provided in any release 
announcement and not just those in this 
document. For example, the test system 
used in this article only has cmdwatch 
and screen installed. This is NOT typical 
of a production system. It is trivial for me 
to manually uninstall these applications 
compiled for 7x and reinstall the latest 
versions compiled for 8.x. Therefore, | do 
not show those steps here. 

The official documentation describes 
ways to handle applications installed as 
packages or using the ports tree. 

This can take a long time, especially 
at the Inspecting system.. stages (see 
Listings 34a and 34b). 

Thats it - were running FreeBSD 
8.0 BETAS! We would have to reinstall 
our applications, which is covered in 
my related article on Keeping FreeBSD 
Applications Up-To-Date. 

For reference, the install prior to 
the first reboot installs the new kernel. 
The ‘install? after the first reboot installs 
the new userland. The install after the 
second reboot removes any old libraries 
used by applications that we removed 
(ie, cmdwatch and screen). 


Conclusion 

| hope this article has helped you 
understand the different ways to keep 
a FreeBSD system up-to-date’ with 
security advisories. It is by no means 
comprehensive, but by following it you 
hopefully can judge the different ways to 
keep your system in sync with the latest 
security patches and fixes for FreeBSD. 


eo 
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FreeBSD 8.0 RC' 


The version included on the DVD is the 8.0-RC1 and not 8.0-RELEASE. 


Please see below for update instructions. 


available. To use this tool, run: 


# freebsd-update install 
# shutdown -r now 


# freebsd-update install 


RELEASE. 


The FreeBSD Update tool can be used to upgrade from FreeBSD 8.0-RC1 to FreeBSD 8.0-RELEASE once it becomes 

# freebsd-update upgrade -r 8.0-RELEASE 

as root and follow the prompts; you may be asked to confirm that some system configuration files have been correctly 
updated. This will fetch and verify the files required to upgrade to 8.0-RELEASE. Next, run 


to install updates to the FreeBSD kernel and reboot; after rebooting, run 


a second time, at which point non-kernel updates will be installed, leaving you with a system running FreeBSD 8.0- 


What is FreeBSD? 

FreeBSD is an advanced operating 
system for x86 compatible (including 
Pentium and Athlon), amd64 compatible 
(including Opteron, Athlon64, and 
EM64T), ARM, IA-64, PowerPC, PC-98 
and UltraSPARC architectures. It is 
derived from BSD, the version of UNIX 
developed at the University of California, 
Berkeley. It is developed and maintained 
by a large team of individuals. Additional 
platforms are in various stages of 
development. 


Cutting edge features 

FreeBSD offers advanced networking, 
performance, security and compatibility 
features today which are still missing 
in other operating systems, even some 
of the best commercial ones. Visit http: 
//www.freebsd.org/features.html to find 
out more. 


Powerful Internet solutions 
FreeBSD makes an ideal Internet or 
Intranet server. It provides robust network 
services under the heaviest loads and 
uses memory efficiently to maintain 
good response times for thousands of 
simultaneous user processes. 


Advanced Embedded Platform 


From mail and web appliances to 
routers, time servers, and wireless 
access points, vendors around the 
world rely on FreeBSD’s _ integrated 
build and cross-build environments and 
advanced features as the foundation 


for their embedded products. And the 
Berkeley open source license lets them 
decide how many of their local changes 
they want to contribute back. 


Run a huge number of 
applications 

With over 20,000 _ ported libraries 
and applications, FreeBSD supports 
applications for desktop, server, appliance, 
and embedded environments. 


Easy to install 

FreeBSD can be installed from a variety 
of media including CD-ROM, DVD, or 
directly over the network using FTP or NES. 
Get directions from www.freebsd.org. 


FreeBSD is free 

While you~ might 
expect an operating 
system with these 
features to sell for a 
high price, FreeBSD 
is available free of 
charge and comes 
with full source code. 


Contributing to 
FreeBSD 

It is easy to contribute 
to FreeBSD. All you 
need to do is find a part 
of FreeBSD which you 
think could be improved 
and make those changes 
(carefully and cleanly) and 
Submit that back to the Project by 
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means of send-pr or a committer, if you 
know one. This could be anything from 
documentation to artwork to source code. 
See the Contributing to FreeBSD article 
at http://www.freebsd.org/about.html for 
more information. 

Even if you are not a programmer, 
there are other ways to contribute to 
FreeBSD. The FreeBSD Foundation is a 
non-profit organization for which direct 
contributions are fully tax deductible. 
Please contact board@FreeBSDFounda 
tion.org for more information or write to: 
The FreeBSD Foundation, PO. Box 20247, 
Boulder, CO 80308, USA. 


If the DVD content cannot be accessed and the disc is not damaged, try to 
run it on at least two DVD-ROMs. 


If you have encountered any problems with the DVD, please write to: cd@software.com.pl 
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Using BSD 


for your Studies 


Edd Barrett 


About four years ago | was starting my undergraduate computing degree. | knew that 
UNIX-like operating systems had proven themselves in the server room, but how 


would they fare in the lecture theatre? 


t the time that | started studying, | had already been 

using OpenBSD for a couple of years, but was 

curious as to whether it was going to be feasible 

as an everyday study aid. In this informal and non- 
technical article | hope to share my findings and highlight 
some tools | found useful for my degree. 


Introduction 

Academic computing boils down to three categories of tasks: 
coding, documenting and diagramming, each of which | 
found to require different specialised tools greatly depending 
upon the nature of the task. Why did | need so many tools? A 
modern computing degree is likely to comprise of a diverse 
range of subjects, usually including units for object oriented 
programming, web-based programming, software engineering 
techniques, relational databases, networking and possibly 
computer law/ethics. Let's take a look at what free software 
has to offer your BSD workstation with regards to these subject 
areas. 


Coding 

In terms of programming languages, a BSD user is spoilt for 
choice. Take a look at your package collection and you will find 
a huge selection of programming and scripting languages at 
your disposal. My University primarily taught using the Java 
programming language from Sun Microsystems (as many 
Universities now do). Initially for a BSD user, this was quite 
awkward as Sun were very particular about how Java could 
be distributed and no binary packages were available for quite 
some time. Recently however, the OpenJDK project has been 
ported to OpenBSD (in ports under devel/jdk), allowing Java 
to be installed by simply using ‘pkg ada’. | must admit that | 
tended to choose C or C++ over Java if possible, as the com- 
pilers (gcc and g++) are a part of the base install. 


Other languages were also a breeze to install. PHP (www/ 
ohp5) could be used with the in-base apache web server ship- 
ping with OpenBSD for the web-based unit. | also found myself 
using several other scripting languages including Ruby (lang/ 
ruby) and Python (lang/python) for various other tasks. 

Next you can start looking into a text editor or IDE to ac- 
tually write some code with. | think students are pretty much 
free to do as they please here and | am sure most computing 
students will already have a favourite text editor. | pretty much 
exclusively used Vim (editors/vim) for coding and found it to 
be mostly excellent for this purpose. A lot of my course-mates 
liked to use eclipse (devel/eclipse) for Java development for it’s 
code completion features and one of my lecturers (who even 
ran OpenBSD on his laptop) swore by Nedit (editors/nedit). 
Ultimately text editors are vastly down to personal choice, so | 
couldn't say any editor is the best My advice here is to go and 
play until you find one you like. 

SO now we have everything we need to start hacking 
out some code, but there’s some other tools you might wish 
to use. | went further by using source control. A bit overkill, 
some might say (for a single developer project), however 
| found these tools essential. For those unfamiliar with the 
term source contro! (or sometimes version control or source 
code management), this term relates to tracking changes in 
a software project. So why would you want to do that? Ever 
found yourself in a Where did | get to again? or a What have | 
changed that broke that? situation? 

Well tools such as (but not limited to) CVS (in base install) 
or subversion (devel/subversion) can help answer those ques- 
tions. Also if your source control server is separate from your 
workstation, a code checkout acts as a poor man’s backup. 
Once you have lost a large portion of code once, for example, 
the bit you stayed up all night last night implementing; You will 
see why backups are useful. To complement source control, | 
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recommend the Trac software package 
(www/trac), which comes with a source 
control browser, bug tracker and wiki. 
Very useful indeed. 


Writing Documentation 
The next major task, and probably the 
most significant in any degree, is the 


task of producing write-ups. At your 
disposal here are two classes of soft- 
ware: word processors and typesetters. 
| am sure you are all familiar with the 
concept of a word processor, SO we 
probably don’t need a detailed discus- 
sion. For word processing, the popular 
choice amongst free software users at 
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Figure 1. Drawing a network diagram in dia. 
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Figure 2. Bouml makes tidy UML diagrams for your write-ups. 


www.bsdmag.org 


Using BSD for your Studies 


my Uni was OpenOffice Writer (editors/ 
openoffice), which is a fully featured 
word processing package offering an 
interface not dissimilar to Microsoft 
Word. Other word processors you 
may wish to try are AbiWord (editors/ 
abiword) and Kword (x11/kde/office3). 
At the other end of the spectrum are 
typesetters, which take an entirely differ- 
ent approach to document generation. 
With a typesetter you write your docu- 
ment in a mark-up language which is 
then compiled into a viewable document. 
During the first year of my course | dis- 
covered the LOT X typesetter and used 
it ever since for all of my assignments. 
Some fellow students also picked up 
LOT eX and found it practical too, but oth- 
ers disliked writing documents in mark- 
up. Think of it like Marmite; you either love 
it or you hate it, so try for yourself (print/ 
texlive). Personally | like it because: 


The results look elegant and 
professional. 
It is easily imported into source 


control because the input format is 
textual. 

Source code listings can be directly 
included by file name rather than 
with copy and paste (and again 
when the source changes). 


Drawing Diagrams 

Academics’ really love to_ invent 
diagram notations. After half a year 
of University life you will find yourself 
knee deep in all kinds of types of 
diagrams. | could never cover them all 
in this short article, but what | can do 
is briefly cover the main ones which 
a computing student is likely to need 
to know. 

The most complete generic diagram 
drawing program that | found was dia 
(graphics/dia). It is not dissimilar to 
Microsoft Visio and can be used for 
entity relationship diagrams, flow charts, 
logical network diagrams and much 
more, however you will often find that 
specialist tools can achieve better results 
(if they exist). 

Probably the most commonly 
used diagram for academic software 
development is the Unified Modelling 
Language (UML) class diagram. A 
bunch of people at the Object Model! 
Group (OMG) devised a set diagrams 
which could be used to visually model 
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aspects of software projects. The UML 
class diagram is commonly used to 
model relationships between classes 
in object oriented languages like Java 
and C++. My personal choice for such 
a diagram is Bouml (devel/boumll), 
which can model many different UML 
diagrams and also output SVG/PNG 
graphics for inclusion in your write- 
ups. The user interface is a little quirky 
at first, but once you get used to it, 
you can slap up class diagrams very 
quickly and neatly. 

For flow charts and control flow 
graphs, | found the best option to be 
graphviz (math/graphviz). Like LOT eX, 
graphviz uses a markup language which 
is compiled. One valuable realisation that 
| made during my studies, is that one of 
the benefits of these text based mark-up 
languages is that they are easily auto- 
generated by other pieces of software. 
Using for example the classic computer 
science off you go and implement a 
linked list task; whilst you are travers- 
ing your linked list, you could generate 
graphviz code. The code when compiled 
could generate a directed graph, show- 
ing the nodes of your linked list, then 
this could be included as a part of your 
report. If you don’t much like the idea of 
drawing diagrams in code, then trusty 
old dia is probably going to be a better 
choice for this kind of task. 
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Figure 3. TeXworks (print/texworks). 
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Often you will be required to carry 
out experiments which require the 
results of which to be plotted on a 
graph for the purposes of observing 
trends. A quick graph is very easily 
generated using OpenOffice calc, and 
is usually the way | would choose to 
draw a small graph. Having said that 
sometimes it is not convenient to work 
in this way. | once found myself with a 
large amount of data, which had been 
collected automatically by a Java pro- 
gram. Inputting this vast chunk of data 
would have been rather soul destroying 
and in such a situation you may wish 
to look into a solution using gnuplot 
(math/gnuplot). With a little research | 
managed to quickly adapt my program 
to generate gnuplot source code, which 
| could compile and include in my 
LOTeX documents. 


Conclusion 
All in all, a BSD desktop is perfectly 
acceptable as a study workhorse. If 
you did want to go down this path, | 
would recommend using a stable re- 
lease and not a developer snapshot, 
as things can get awkward at times 
when really, you just want to finish that 
darned assignment (I learnt that the 
hard way). 

| think that any form of open-source 
software offers a large learning oppor- 
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your package collection amd yo 
u huge selection programming a 
languages at your disposal My Ur 
Biarloy Tage using the Jove lary 
Sun Mictosrstems (as many Univ, 


About four years ago | found onyself bearing 
the indwtry and santing an academic degree 
in Computing [Mot to be confused with com- 
puter edence). | knew char UNDX-like oper: 
ating syttems had proven themselves in the 
serer mcm, but how abort inthe kecture the 
acre? At the time that | started studying, I 
had already been using OpenBSD for a cou- 
ple of years, bot was corious as to winetherr iit 
was going to be femible as an everyday shady 
aid, In this informal and non-technical arti- 
cle | hope to share my findings and highlight 
some fools | found useful for my degree. 
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tunity to students. The code for such 
software is freely available for study 
and citation. | benefited from this with 
my dissertation, which was in the field 
of compiler design. | frequently found my 
self referring the reader to various open 
source language parser grammars and 
virtual machine implementations, which 
otherwise would not have been avail- 
able. 

Ultimately you probably will get bitten 
by the Windows world at some point. A 
large number of commercial specialist 
tools do not run on BSD and there are no 
good open source altematives. In these 
cases you just have to find a windows 
box and deal with it. Looking back, | think 
| only found myself in this situation a 
couple of times and you can always dual 
boot BSD and Windows if you wish. 

If your University has UNIX labs, you 
may find some of the aforementioned 
tools there readily available to you. We 
were lucky enough to have access to a 
lab of Sun thin clients, running Solaris 10 
and the N1 grid engine. We spent a lot of 
time in this lab, exploring, tinkering and 
generally expanding our UNIX knowl- 
edge. We even started a Bournemouth 
Uni UNIX user group which met on a 
monthly basis to hold talks and dem- 
onstrations on the subject of BSD, UNIX, 
Linux etc. Resources like these are a 
great way to learn and meet like minded- 
students (and staff), so you may wish to 
see if your Uni has one. 

That about covers my key findings 
in my accademic life so far Of course 
| could have gone into far more detail 
with many of these topics, but that would 
be out of the scope of this article. | hope 
you enjoyed the read, even if it was quite 
informal. 
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@ get started 


The FreeBSD 


Chatterbox 


Eric Vintimilla 


Day in and day out, your FreeBSD sits there quietly, processing its workload. It never 
complains or asks for any favors, but what would it say if it could talk? 


you want it to. With Festival, your FreeBSD box can be 


| he answer to that question is easy. It will say whatever 
more talkative than your last date! 


What is festival? 


Festival is a system that gives users text to soeech capabilities 
through the shell level, a Scheme command interpreter, a C++ 
library, Java, or an Emacs interface. It offers various voices, 
including different languages and accents, such as English 
(British and American) and Spanish. Furthermore, more voices 
have be created by Carnegie Mellon’s FestVox project (http: 
//festvox.org) and it is relatively straightforward to create your 
own voice library. Festival has two main modes: command 


mode, where it can read input from files or interactively, and tts 
(text-to-speech), where text input is rendered as speech. 


Installing and setting up festival 
Installing Festival is quick and easy to do. Find its directory in 
your ports tree, and install it with portinstall. 


evvm# cd /usr/ports/audio/festival 


evvm# portinstall -P festival 


A few dependencies will be installed, but the process should 
not take that long. Now, enter Festival’s command line and run 
a test (see Listing 1). 


Listing 1. The Festival Command Interpreter 


evvm# festival 
WARNING 
NO cleitaullic WwOLeGS iOwIAC! SLi 


either no voices unpacked or voice-path is wrong 


WARNING 

Festival Speech Synthesis System 1.96:beta July 2004 
Copyright (6) University of Edinburgh, 
POD sdetails type s (hesriva Pawecraney) | 
festival> 


festival> (SayText "FreeBSD Rocks") 


+= ===> =-=— Bel HELOL >=—=—-=—-=—-=— 
(HD, Searire Moker Method snore sdelmed 


HeSicsweal lL 


evvmy “D 


("sr local share/restivaly/ laib/vo1ces/™) 


Scheme interpreter will work, but there is no voice to speak with. 


1996-2004. All rights reserved. 
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It looks like there are no voice data- 
bases on our FreeBSD box, so we will 
have to find some, but where? Luckily, 
Carnegie Mellon’s Festvox voices can al- 
so be found in the ports tree (Listing 2). 

There should now be d usi_mbrola 
directory under 
festival/lib/voices/english/. Now we 
can test Festival! 

You should have heard your FreeBSD 
box claiming its awesomeness. 


jusr/ locally share/ 


What should your 

freebsd box say? 

Now, you can have your FreeBSD 
machine say whatever you want, but 
using Festival’s command line interface 
may not be ideal. Luckily, Festival can 
receive input from the shell using its -- 
tts Switch. It can be used to read files or 


to speak the output of other processes. 
For example, to read an input file, you 
would use the following command: 
evvm# festival --tts inputfile.txt 
To make Festival speak process output, 
you can just use a pipe: 
evvm# date | festival --tts 
You can go one step further, to make the 
text-to-speech process even easier. We 


can create a shell script to allow us to 
pass in any text to Festival. 


evvm# touch speak 
evvm# chmod u+x speak 
evvm# nano speak 


#!/usr/ local/bin/bash 


Listing 2. Voice Packs for Festival 


evvm# ls /usr/ports/audio/ | 
festvox-abc 
festvox-aec 
festvox-czech 
festvox-don 
festvox-elll 
FeSstvVOx=hvs 
festvox-jph 
festvox-kallo6 
festvox-kal8 
festvox-ked16 
festvox-ked8 
festvox-lp 
festvox-mwm 
festvox-ogirab 
festvox-pc 
festvox-rablo 
festvox-rab8 
FEStvox=tli 
Festvox—usl-mbrola 
festvox-us2-mbrola 


festvox-us3-mbrola 


grep festvox 


evvm# cd /usr/ports/audio/festvox-usl-mbrola/ 


evvm# portinstall -P 


Listing 3. Testing Festival 


evvm# festival 


Festival Speech Synthesis System 1.96:beta July 2004 


Copyright (Cc) 


Pormrdetatls type \ (fesui val wareaney). 


festival> (SayText "FreeBSD Rocks!") 
#<Utterance 0x28925c40> 


ISS ie Laws ILS 


YRiverselcy Of Edanburcgh, 


1996-2004. All rights reserved. 
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fest=8 (/usr/bin/which festival) 
/bin/fecho $1 | Sfest -tts 
Now, you can use this script to make 
FreeBSD say whatever you want: 

evvm# ./speak “Hello!” 
evvm# ./speak “S (date)” 
While having a text-to-speech system 
may not be as useful as setting up jails 
or a wireless access point, it can still 
be used to make your machine more 
interesting. First, you can set up your 
computer to greet you every time you 
log in. If you use bash, just edit your ~/ 
.bash_ profile file, and add the following 
to the end of it: 


sh ~/scripts/speak "Hello 


S (whoami) !" 


Now, every time you log in, your computer 
will greet you, using your username. You 
can also have Festival read your mail. 


evvm# ~/scripts/ speak "S(cat /var/ 


mail/S (whoami))" 


You can also have your FreeBSD speak 
reminders to you. 


“ 


~/scripts/speak ‘You 


at 15200 


evvm# echo 


need to buy milk’” | 


Your FreeBSD box can read logs or 
other documents to you. You can even 
be mischievous and play tricks on 
roommates. When you are not home, 
SSH into your system, and try something 
like: 


evvm# ~/scripts/speak “I’m watching 


Ww 


you. 


Summary 

Using Festival on your FreeBSD machine 
can be both useful and fun. You can save 
yourself reading time and multitask while 
you listen to text. There are so many things 
your system can read to you, including 
logs, emails, alerts, and reminders. The 
possibilities are practically endless. 


31 


@ how-to's 


32 


Encrypting 


the FreeBSD root file system 


Jacques Manukyan 


Systems are only as secure as you make them. Thankfully, FreeBSD offers an 
excellent range of tools and mechanisms to insure that all your security needs are 


met. 


Oo matter how much time you spend securing 
your operating system, if your workstation or 


server is physically stolen, you can assure that - 


your sensitive data will be accessed by someone 
other than you. One way to thwart this type of attack is to 
encrypt your root and other file systems. One tool you can 
use in FreeBSD to encrypt your file systems, and specifically, 
to encrypt your root file system, is to use the cryptographic 
class called geli. 
Keep in mind that security doesn’t end simply because you 
encrypted your file systems. When your server or workstation is 


up and running, your root and other file systems are mounted - 
and decrypted. This provides the potential for your sensitive - 
data and information to be stolen if your workstation or server - 


is connected to a network since an attacker could still breach 
your operating system and view or copy your data. It is up to 
you, the system administrator, to diligently continue to protect 
your operating system even after encrypting your root and 
other file systems. 


Geli, a different kind of disk encryption 
Starting with FreeBSD 6.0, a new cryptographic GEOM 
class was made available called GELI. GELI differs greatly 
from GDBE, the traditional disk encryption system written for 
FreeBSD and it was initially introduced in FreeBSD version 
0, 

The most important features of geli are as follows: 


Utilizes the crypto(9) framework, so when there is crypto 
hardware available, geli will make use of it automatically. 

Supports multiple cryptographic algorithms. As of Free- 
BSD 72, geli supports AES, Blowfish, Camellia, and 3DES. 
Can optionally perform data authentication and integrity 
verification utilizing one of the following algorithms: HMAC/ 


MD5, HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, 
HMAC/SHA384 or HMAC/SHA512. 

It is fast — geli performs simple sector-to-sector encryp- 
tion. 


Considerations and Preparatory Work 
Before encryption your root file system, you must first deter- 
mine the authentication mechanism which decrypts the geli 
encrypted file system. 

Geli currently supports the following mechanisms: 


Passphrase 
Keyfile 
Keyfile plus passphrase 


The passphrase mechanism is by far the simplest to utilize 
and setup. All you need to get a geli encrypted root file system 
utilizing a passphrase is a DVD drive and a DVD media of the 
FreeBSD operating system. 


To keyfile or not to keyfile 

If you are going to utilize just a keyfile without a passphrase, 
you must first consider a few things. The keyfile must be kept 
secure from the world as anyone who can get their hands on 
the keyfile can decrypt your file systems. 

If you decide to save the keyfile locally on the boot drive 
that you are encrypting, then anytime the server is rebooted, 
it automatically decrypts the root file system. This basically 
defeats the purpose of encryption simply because if anyone 
can decrypt the drive, then it is just as vulnerable as a non 
encrypted drive. 

If you decide to utilize a keyfile, you must move the keyfile 
to a removable media and keep it secure. For example, you 
would put the keyfile on a bootable CD or DVD media or a 
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Encrypting the FreeBSD root file system 


bootable USB device. You would then 
boot up the system off of the DVD or 
CD Media, or USB device. The DVD, CD, 
or USB device will load the kernel, and 
then it will decrypt and mount the root 
file system. Without the DVD, CD, or USB 
device, you would not be able to boot up 
your root file system. 

To reiterate, here are the basic re- 


Before creating the two slices, we usually use a 300 MB slice size for the 
need to determine how much space _ boot slice. | then dedicate the rest of the 
we want to utilize for the boot slice. | space for the second, operating system, 


Disk nane: 
DISK Geometry: 


FDISK Partition Editor 


sectors = 63875365 sectors (48954HB) 


Offset End Name PType Desc Subtype Flags 


bh? i? unused A 


WARNING: 


quirements for setting up a geli encrypt- 
ed root file system utilizing the different 
decryption mechanisms: 


DVD drive 
DVD media of the FreeBSD operat- 
ing system 


Writable CD or DVD drive with 
a Blank CDR or DVDR media 
(method 1) 

USB port with a USB thumb drive 
(method 2) 

A working computer with FreeBSD 
installed 


To start the installation process, you 
must boot up your server with the 
FreeBSD operating system DVD media. 
For the below examples, | am utilizing 
the FreeBSD 72 DVD image found 
on the FreeBSD Project website (hit: 
//\wwwireebsd.org/). I'm also — utilizing 
only one 40 GB SCSI hard disk in my 
workstation. 

Once the FreeBSD DVD media 
starts the installer, select the Fixit op- 
tion from the menu. Then select option 
number 2 to use the live file system 
from the DVD media. This will drop you 
into a shell. 

We want to create two slices on our 
primary hard disk. The boot directory, 
where the programs and configuration 
files used during the operating system 
bootsrap are located, cannot be on an 
encrypted file system. 

The kernel will load from the first 
slice and in turn, geli will load as well. 
Geli will then decrypt the second slice 
and boot up the root and other file 
systems located on the partitions on 
slice two. 


This should only be used when modifying an EXISTING 
installation. If you are installing FreeBSD for the first time 


then you should simply type Q when you're finished here and your 
changes will be committed in one batch automatically at the end of 


these questions. If you're adding a disk, you should NOT write 
from this screen, you should do it from the label editor. 


Are you absolutely sure you want to do this non? 


ia 
C wes J] nO 


se Fi or ? 


fdisk 1 


Disk name: 
DISK Geonetry: 


ba 
hilH4h? 
Aa 764895 


83675365 L715 


to get more 


help, arrow keys to select. 


FDISK Partition Editor 
IJ sectors = B3S675365 sectors (486954hB) 


Desc Subtype Flags 
Be 2 unwsed A 
BikdsS frees 165 
B3SB75 3564 {freebsd 165 
BSIBGbH79 LAWS ed A 


Hrote FDISK partition information out successfully. 


The followin 


lelete os 
Change Ts 


ce Fi or 


fdisk 


When you're 
The fixit 


You might want 
to etc after 
tar(€1) will not 


Note: you 


Good Luck? 
Fixit# In 
Fixit# In 
Fixit# kldload 
Fixit# geli 
Enter 
Reenter 
number 
Done, using 189311 
Metadata value 
Done. 


Fixite § 


Calculating 


Geliinit 


‘* to get more help, 


finished 
Media is 


to symlink /mnt/etc/*pnd.db and 
Mounting a 
restore 


can use 
command history of this shell. 


/dist/lib 
/dist/boot/kerne! 
geom_eli 

init Vv 
new passphras 


stored on 


(188%) 


‘DD wsode 
Wizard «w. 


Slice 


Hootable 


Set Urive beonetry = Ereate 
Toggle Size Units 


lindo All Changes 


arrow keys to 


shell, 
f/mnt2. 


With this 
mounted as 


please type exit. 


/mntZetc/group 
your disk. 
permissions correctly otherwiset 


root {rom 


all 


filesystem 


the arrow keys to browse through the 


+ «=< o« «© «@ «8 8 8 ©2 oe oe 


/1lib 
/boot/modules 


b 1 256 48096 /dev/dats? 


e: 
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Slice. The boot slice of 300 MB is large 
enough to accommodate my kernel and 
additional items. At a bare minimum 
however, | recommend at least a 150 MB 
slice. Please be aware that if you do not 
give yourself enough room on your boot 
slice, you may run into disk constraint 
problems in the future when upgrading 
your server. 

At the command prompt, you would 
use the fdisk utility to create your two 
slices. Please refer to the fdisk(8) man 
page for more information on utilizing 
fdisk. 

If you are unfamiliar with the fdisk 
command or utility, you can use the 
guided sysinstall utility to create your 
two slices. To do this, type exit at the 
command prompt to go back to the 
sysinstall menu. Next, go back to the 
sysinstall main menu. From there, select 
configure. Now scroll down and select 
the Fdisk option. This will bring you to the 
FDISK Partition Editor. 

Now lets create our two slices 
using the FDISK Partition Editor. Hit c 


Listing 1. Partitioning scheme 


# /deV/da0s2 eli: 


6 perrlEloms: 


# size offset fstype 
2G ~ 4.2BSD 
ioe 2G " swap 
eG: 1O40ei1i 0 unused 
edit 
ele AG = 4.2BSD 
e: 2G a 4.2BSD 
ies s es 4.2BSD 


for Create Slice and specify a value of 
300M. Set the type to 165, which is the 
default, to create a native FreeBSD slice. 
Now hit c again to create the second 
slice. Select the default value given for 
the size which should already be set 
to the maximum available space on 
the drive left. Then set the type to 165 
again. Now hit w to write the changes 
to the disk. You will then be asked if you 
want to install a boot manager. Install 
the FreeBSD Boot Manager and then 
hit ok. FDISK should have completed 
successfully now (Figure 2). Hit o to exit 
the FISK Partition Editor. 

Now that we have created the two 
slices, go back to the sysinstall main 
menu and go back to the Fixit shell. 

Once at the Fixit shell, we want to first 
setup our editor To do this, issue the fol- 
lowing command: 


# export EDITOR=/dist/usr/bin/vi 


Now that our default editor is setup, we 
want to create two symlinks so that we 


[fisize bsize bps/cpg] 


0 0 
@) 0) % “raw” pare, don't 
0 0 
0 0 
0 0 


Fixit# cd 
Fixit# 


fdist-7.2-RELEASE’"base 
_“install.sh 
about to extract the 


to do this 


You are base 


Wt hi rit UVET YUU 


Figure 4. Installbase 


Enter passphrase for da#s2: 
GEOM_ELI: 
AES-CBC 
software 
provider 
provider 
provider 
provider 
provider 


Encryption: 256 

Crypto: 
Label for 
Label for 
Label for 
Label for 


Label for 


GEUM_LABEL: 
GEOM_LABEL: 
GEOM_LABEL: 
Trying to mount root 


Figure 5. Bootup 


distribution into 
instal led 


Device da@s2.eli created. 


daUsia 
dais?.elia 
das2.elid is 
da@s2.elie is 
daWs2.elif is 
from ufs:/7dev/datis?.elia 


“Hnt “neu 
susten lyueni? | 


is ufsid/“4a841id2a1153bedf. 

is ufsid/4a841d2?f6b3dabi?. 
ufsid/4a841d4cd619d77e. 
ufsid/4a841d4dai1736feS. 
ufsid/“4a84id4e5811lel4c. 
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can load the geli kernel module. Issue 
the following commands at the com- 
mand prompt: 


£ In =s: /dist/lib /lib 
# In —-s /dist/boot/kernel /boot/ 


modules 


Now we can load the geli module. Issue 
the following command to load the geli 
module: 


# kldload geom eli 


Now that geli is loaded, let us encrypt our 
second slice. My second slice is called 
dads2 SO | will issue the following com- 
mand: 


# geli init -v -b -e aes -l 256 -s 
4096 /dev/da0s2 


The -b option specifies that | want geli 
to ask for the passphrase on boot. 
The -e and -1 options specify the 
encryption algorithm and key length. In 
this example, | want to use AES 256. 
The -s option specifies the sector size. 
| chose a large sector size to increase 
performance. Please refer to the geli(8) 
man page for detailed configuration 
information. 

When issuing the 
command, you will be asked to specify a 
passphrase twice (Figure 3). 

Now that our slice is encrypted, 
we need to attach our slice so that we 
can start using it. Issue the following 
command to attach the slice: 


geli KW 


# geli attach /dev/da0s2 


You will be asked for your passphrase 
before the slice is attached. Once the 
Slice is attached or decrypted, it will be 
made available to the operating system 
via a new device. In this case, our new 
device is called /dev/da0s2.eli. 

We now create a single partition on 
our first or boot slice. Issue the following 
command: 


# bsdlabel -w /dev/da0sl 


This will create a device called /dev/ 
daOsla. 

We need to now create our partitions 
on the second slice. Issue the following 
commands: 


# bsdlabel -w /dev/da0s2.eli 
# bsdlabel -e /dev/da0s2.eli 


You must now decide how you want to 
partition your operating system. For this 
example, I’m going to use the following 
scheme (see Listing 1). 

In this example, I'm going to use partition 
a aS my root / file system and I’m allocating 
2 GB of space for it. Partition » is my swap 
and I'm allocating 2 GB to it. Partition a will 
be my /var directory and I'm allocating 4 
GB to it. Partition e will be my /tmp directory 
and I'm allocating 2 GB to it. And finally, 
partition £ will be my /usr directory and I'm 
allocating all available space to it. 


Note 

I'm leaving the offset values at * which 
will make bsdlabel handle the values 
automatically. 

Now save and exit the bsdlabel screen. 
We can now create our file systems using 
the newfs command. Issue the following 
commands (see Listing 2). 

As you noticed, | issued the -o 2 op- 
tion to newfs. This creates a UFS 2 file 
system rather than a UFS 1 file system. 
Please refer to the newfs(8) man page for 
more options. 

Now that we created our new file 
systems, we want to mount them. To 
do this, we must first create our mount 
points. Issue the following commands at 
the command prompt: 


# mkdir /mnt/boot 


# mkdir /mnt/new 


We can now mount our file systems by 
issuing the following commands: 


# mount /dev/da0sla /mnt/boot 


# mount /dev/da0s2.elia /mnt/new 


Now that our root file system is mounted 
tO /mnt/new, We need to create the direc- 
tory structure to mount our other file sys- 
tems. Issue the following commands: 


# mkdir /mnt/new/var 
# mkdir /mnt/new/tmp 


# mkdir /mnt/new/usr 


Now we can go ahead and mount our 
other file systems that we created: 


# mount /dev/da0s2.elid /mnt/new/var 


# mount /dev/da0s2.elif /mnt/new/usr 
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Note that | am not mounting the / 
dev/da0s2.elie device or Our /tmp file 
system. The reason behind this is that 
during the operating system installa- 
tion that we are going to be doing, no 
information is going to be written to that 
file system. 

Now that our file systems are 
mounted, we can go ahead and install 
the operating system. Before we proceed 
with the installation, we need to specify 
the location we are going to install the 
operating system files into. To do this, 
issue the following command: 


# export DESTDIR=/mnt/new 


We can no install the operating system. 
Issue the following commands to start 
the installation process: 


# cd /dist/7.2-RELEASE/base 
+ 2f ane tal] ven 


You will be asked to confirm that you want 
to install the base into /mnt/new. Just type 
y and hit enter (Figure 4). This step will 
take a few minutes depending on the 
speed of your DVD drive and hard drive. 

lf you are using a different version of 
FreeBSD, replace 72-RELEASE with the 
name corresponding with the version 
you are installing. 

The base operating system will 
now install onto our encrypted slice 
and partitions; which are mounted and 
decrypted. 


Listing 2. File system creation 


2 /dev/da0sla 

2 /dev/da0s2.elia 
2 /dev/da0s2.elid 
2 /dev/da0s2.elie 
2 /dev/da0s2.elif 


Listing 3. Sample fstab entries 


# Device Mountpoint 


Pass? 


/dev/da0s2. 
/dev/da0s2. 
/dev/da0s2. 
/dev/da0s2. 
/dev/da0s2. 
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If you optionally want to install the 
man pages, you can issue the following 
commands: 


# cd /dist/7.2-RELEASE/manpages 
# «f/install.sh 


Likewise, if you want to optionally install 
the FreeBSD docs, you can issue the fol- 
lowing commands: 


# cd /dist/7.2-RELEASE/doc 
e° -/instali.sh 


Now that our base operating system is 
installed, we want to install our kernel. 
Issue the following commands to install 
the kernel: 


# cd /dist/7.2-RELEASE/kernels 


# ./install.sh generic 


The kernel will install itself into the /mnt/ 
new/boot/GENERIC directory. We now want 
to move the kernel to its proper location. 
Issue the following commands at the 
command prompt: 


# rmdir /mnt/new/boot/kernel 
# mv /mnt/new/boot/GENERIC /mnt/new/ 
boot/kernel 


We now want to make sure that geli 
loads during the boot-up process so 
that it can decrypt our encrypted root 
file system. To do this, issue the following 
command: 


OpELons 


@ how-to's 


36 


# echo geom eli load=\"YES\" > /mnt/ 


new/boot/loader.conf 


Geli and kbdmux, the keyboard multi- 
plexer driver, seem to have problems 
working together. For geli to work prop- 
erly, we need to disable the kodmux 
driver We can do this by issuing the 
following command at the command 
prompt: 


# echo hint.kbdmux.0.disabled=\"1\" 


>> /mnt/new/boot/device.hints 


Now that we have our boot directory 
setup on the /mnt/new file system, we 
want to copy it over to our boot slice. 

We want to make sure that we 
preserve all file permissions, | file 
modes, user IDs, and group IDs. To do 
this, issue the cp command with the » 
option and the er option, for recursion, 
as follows: 


# cp -Rp /mnt/new/boot /mnt/boot/ 

We now want to create a proper fstab so 
that our file system is mounted properly 
on boot-up. Issue the following command 


at the command prompt: 


# vi /mnt/new/etc/fstab 


Based on the partitions | created, | would 
create the following entries within the 
fstab file (see Listing 3). 

You can specify additional options 
or make changes to the above entries 
based on your needs. Please reference 
the fstab(5) man page for more informa- 
tion. 

Now that we created an fstab, we 
want to copy it over to the boot slice. To 
do this, issue the following commands: 


# mkdir /mnt/boot/etc 
# cp /mnt/new/etc/fstab /mnt/boot/ 
etc/fstab 


We are now finished with setting up our 
system. We can unmount our file sys- 
tems and then reboot our server. Issue 
the following commands: 

umount /mnt/boot 
/mnt/new/var 


umoun 


umount /mnit/new/usr 


i i 
Cr och. oer ocr 


umount /mnt/new 


You can now power cycle your server. 
Make sure you remove the FreeBSD 
installation media. When the server 
reboots, you will be presented with a 
prompt asking you to specify your pass- 
phrase. 


Listing 4. Partitioning scheme 
# /dev/dal.eli: 
6 Perticvons: 
# size offset fstype [fsize bsize bps/cpg] 
2G - 4.2BSD 0 0 

lor 2G swap 

es L04e5 759 0 unused 0 0) e "raw" part, Con’: 
edit 

d AG = 4.2BSD 0) 0) 

- 2G s 4.2BSD 0) 0) 

fe: 8 - 4.2BSD 0) 0) 
Listing 5. Sample fstab entries 
# Device MOuncpOINE FStype Options Dump 
Pass# 
/dev/da0.elib none swap Sw 0 0 
/dev/da0.elia i Vices rw il iL 
/dev/da0.elid /var ufs rw p Zz 
/dev/da0.elie /tmp eS rw D Z 
/dev/da0.elif (use ufs rw 2 2 
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Once you specify the proper 
passphrase, geli will decrypt and mount 
the file systems (Figure 5). You can 
now login as root. Note that there is 
no password for root yet. Your server 
or workstation is not configured. You 
would need to configure your server 
or workstation and create a proper 
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Upgrades, Updates, and Patching 

One thing to consider when running this 
kind of setup is that your boot slice will 
need to be updated in parallel to your 
root slice. If you decide to compile a 
new kernel, you want to make sure that 
you enable geli within your new kernel. 
To do this, just specify the following 
options within your kernel configuration 
file: 


options GEOM ELI 


device crypto 


For additional information on compiling 
a new kernel, reference chapter 8 of the 
FreeBSD handbook. 

Once you compile a new kernel and 
you install it, you will need to make sure 
you copy it over to your boot slice. You 
can always mount your boot slice and 
copy over the new updates. For example, 
you could do something like this: 


mkdir /mnt/boot 

mount /dev/da0sla /mnt/boot 
rm -R /mnt/boot/boot 

cp -Rp /boot /mnt/boot/ 


$+ 0 EOE HEE 


umount /mnt/boot 


If you ever run into an issue where you 
accidently damaged your boot partition 
and you cant boot up your operating 
system, you can always boot off of the 
DVD FreeBSD operating system media. 
You can then go to the Fixit shell, load 
geli, and then mount your encrypted file 
systems along with your boot partition. 
You can then repair whatever damage 
you may have caused. If all else fails, 
you can always install the default kernel 
that is found on the FreeBSD operating 
system DVD media. 


Using a boot CD/DVD or USB 
drive to load an encrypted 
FreeBSD root file system 

In this section of the article, we’re going 
to create a boot CD or DVD to boot 


up and decrypt our encrypted root file 
system. We are going to use a keyfile 
and password to decrypt our root file 
system. 

If you dont want to use a boot CD 
or DVD, you can always use a bootable 
USB thumb drive. 

Using a boot CD or DVD, or booting 
off of a USB drive to decrypt and mount 
a FreeBSD root file system requires that 
you already have a FreeBSD server up 
and running. You will also need a spare 
hard drive that you will be encrypting and 
installing the FreeBSD operating system 
onto. 

In this article, | am running a worksta- 
tion with FreeBSD 72 already installed. | 
have two SCSI hard drives. They are as 
follows: 


Drive dao — contains my FreeBSD 72 
installation. 

Drive dai — empty disk which will 
contain my new encrypted root file 
system. 


To start, boot up into a shell prompt on 
your workstation. Make sure you have 
the geli kernel module compiled into 
your kernel. If you don’t, you will need to 
recompile your kernel with geli Support. 
Please reference chapter 8 of the 
FreeBSD handbook for information on 
how to recompile your kernel. 

We need to load the geli module 
so issue the following command at the 
command prompt: 


# kldload geom eli 


Now that geli is loaded, we need to first 
create a directory where we will store 
our keyfile temporarily. For this example, 
’'m going to store my keyfile in the / 
root/boot/key directory. | then want to 
create a keyfile that is 256k in size. 


# mkdir -p /root/boot/key 
#€ dd. if=/dev/random of=/root/bootr/ 


key/master.key bs=256k count=1 


| created a keyfile with random binary 
data located in the /root/boot/key direc- 
tory called master. key. 

Next | want to create my encrypted 
disk. | want to use a keyfile along with 
a password. This gives me additional 
protection in case someone gets a hold 
of my keyfile. 
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# geli init -v -b -e aes -l 256 -s 
4096 -K /root/boot/key/master.key 
/dev/dal 


As you can see, | added the -x« option to 
the geli init command. This specifies that 
| want to use a keyfile. 

Now that our disk is encrypted, we 
need to attach our disk so that we can 
start using it. Issue the following com- 
mand to attach the disk: 


# geli attach -k /root/boot/key/ 
master.key /dev/dal 


Note that we specified the -« option, in 
lower case, with the path to our keyfile. 
You will be asked for your passphrase 
before the disk is attached. Once the disk 
is attached or decrypted, it will be made 
available to the operating system via a 
new device. In this case, our new device 
is called /dev/dal.eli. 

We need to now create our partitions 
on the attached drive. Issue the following 
commands: 


# bsdlabel -w /dev/dal.eli 
# bsdlabel -e /dev/dal.eli 


You must now decide how you want to 
partition your operating system. For this 
example, I’m going to use the following 
scheme (see Listing 4). 

In this example, I’m going to use 
partition a as my root / file system 
and I’m allocating 2 GB of space 
for it. Partition > is my swap and I’m 
allocating 2 GB to it. Partition a will be 
my /var directory and I’m allocating 
4 GB to it. Partition e will be my /tmp 
directory and I’m allocating 2 GB to 
it. And finally, partition £ will be my 
/usr directory and I’m allocating all 
available space to it. Note that I’m 


Enter passphrase for dal: 
GEOM ELI: Device daH.eli created. 
GEOM_ELTI: Encryption: AES-CBC 256 
GEOM ELI: Crypto: software 
GEOM_LABEL: Label for provider 
GEUM_LABEL: Label for provider 
Label for provider 
Label for provider 
Label for provider 


GEOM_LABEL: 
GEOM_LABEL: 
GEOM_LABEL: 
Trying to mount root from ufs:/dev-dabl.elia 
Loading configuration files. 


kernel dumps on /“dev/dal.elib 


Figure 6. Bootup 2 
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daH.elia is 
daH.e@lid is 
daH.elie is 
daH.elif is 
daisia 


leaving the offset values at * which 
will make bsdlabel handle the values 
automatically. 

Now save and exit the bsdlabel 
screen. We can now create our file 
systems using the newfs command. I’m 
going to create UFS 2 file systems so | 
issue the following commands: 

# newfs -O 2 /dev/dal.elia 
# newfs -O 2 /dev/dal.elid 


# newfs -O 2 /dev/dal.elie 


# newfs -O 2 /dev/dal.elif 

Now that we created our new file sys- 
tems, we want to mount them. To do this, 
we must first create our mount point. Is- 
sue the following command at the com- 
mand prompt: 


# mkdir /mnt/new 


We can now mount our file system by 
issuing the following command: 


# mount /dev/dal.elia /mnt/new 


Now that our root file system is mount- 
ed tO /mnt/new, we need to create the 
directory structure to mount our other 
file systems. Issue the following com- 
mands: 


# mkdir /mnt/new/var 
# mkdir /mnt/new/tmp 


+ mkdir /mnic/new/isr 


Now we can go ahead and mount our 
other file systems that we created: 


# mount /dev/dal.elid /mnt/new/var 
# mount /dev/dal.elif /mnt/new/usr 


Note that | am not mounting the /dev/ 
dal.elie device or Our /tmp file system. 


ufsid“4a6965a?73b17H9Rc. 
ufsid“4ab4Sbsa435bbeala. 
ufsid“4a8S985a54cb9e874H. 
ufsid/“4a8985a66c279bdfs. 
is ufsid/“4a84168806b0514c. 
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The reason behind this is that during 
the operating system installation that 
we are going to be doing, no informa- 
tion is going to be written to that file 
system. 

Now that our file systems are mount- 
ed, we can go ahead and install the 
operating system. You are going to need 
to download the full FreeBSD source 
via cSup or cvsup. For information on 
how to download the FreeBSD source, 
please refer to chapter 6 of the FreeBSD 
handbook. 

By default, you should have down- 
loaded the FreeBSD source into the 
/usr/src directory. We’re going to need 
to buildworld first so issue the following 
commands: 


# Ca Jusr/sre 


# make buildworld 


Please note that this will take quite a 
while depending upon the speed of 
your workstation or server. Now that 
you have compiled the source, we want 
to install it on the new encrypted file 
system. Issue the following commands 
to install the compiled source to our 
encrypted disk: 


# make installworld DESTDIR=/mnt/new 


# make distribution DESTDIR=/mnt/new 


Now that we're done installing the 
FreeBSD operating system on the 
new drive, we want to compile a new 
kernel. 

If you want to compile a custom 
kernel, make sure that you have geli 
enabled and that you disabled kbdmux. 
To enable geli, add the following to your 
custom kernel: 


; You are 


finished with this 
Media is mounted as 


: When you're 
; ine haistaia 


to symlink 
mounting 


; You might want 
to etc atter 


tar(€1i) will 


a root 


not restore all 


; Note: 
+ command history of 


the 
this 


you can use 
shell. 


Lood Luck? 


Fixits § 


Figure 7. fixit 
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now running from FreeBs 


shell, 
frmant2. 


/mnt/ete 
filesystem from your 


arrow keys 


options GEOM ELI 


device crypto 


To disabled kbdmux, make sure you 
omit the following line from your custom 
kernel: 

kbdmux 


device # keyboard 


multiplexer 


For additional information on compiling a 
custom kernel, reference chapter 8 of the 
FreeBSD handbook. 

To compile our kernel, we issue the 
following command: 


# make buildkernel KERNCONF=GENERIC 


In this example, I'm going to use the ge- 
neric kernel. After your kernel compiles, 
install it onto your new drive by issuing 
the following command: 


# make installkernel KERNCONF=GENERIC 


DESTDIR=/mnt/new 


We now want to make sure that geli 
loads during the boot-up process so 
that it can decrypt our encrypted root 
file system. 

To do this, we want to edit the 
loader.conf file. Issue the following 


commana: 
# vi /mnt/new/boot/loader.conf 


We now want to create the proper entries 
in the loader.conf so that it loads geli 
and the keyfile. Do this by putting the 
following in the loader.conf: 


geom_ eli load="YES" 
geli_daO keyfileOQ load="YES" 


Media. 


please type exit. 


7“epud.db and /mnt/etc/group 


disk. 


permissions correctly otherwise! 


to browse through the 
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geli daQ keyile0. type="da0i:geli 
keyfileO" 
geli daO keyfileO name="/key/ 


master.key" 


Keep in mind that while we're setting 
up the loaderconf file, you have to 
reference the hard drive by what it will 
be called when you move it to its final 
destination. For example, I’m going to put 
my second SCSI drive called dai into a 
new workstation. On that workstation, it 
will become the primary drive, or dao. 
Replace dao in the above example 
with whatever the name the drive will 
become. 

Geli and kbdmux, the keyboard 
multiplexer driver, seem to have 
problems working together. For geli to 
work properly, we need to disable the 
kodmux driver We can do this by issuing 
the following command at the command 
prompt: 


# echo hint. kbdmux.0.disabled=\"1\" 


>> /mnt/new/boot/device.hints 


This will not be necessary if you disabled 
kodmux inside the kernel. 

Now that we have our boot directory 
setup on the /mnt/new file system, we 
want to copy it over to our temporary 
boot directory which in this case will be / 
root/boot. We want to make sure that we 
preserve all file permissions, file modes, 
user IDs, and group IDs. To do this, issue 
the cp command with the » option and 
the r option, for recursion, as follows: 


# cp -Rp /mnt/new/boot /root/boot/ 


We now want to create a proper fstab so 
that our file system is mounted properly 
on boot-up. Issue the following command 
at the command prompt: 


# vi /mnt/new/etc/fstab 


Based on the partitions | created, | would 
create the following entries within the 
fstab file (see Listing 5). 

Again, keep in mind that | am 
referencing the final location of the 
drive. When | move this drive to my other 
workstation, it will become the primary 
drive and it will be referenced as aao in 
the operating system. 

You can specify additional options 
or make changes to the above entries 


based on your needs. Please reference 
the fstab(5) man page for more 
information. 

Now that we created an fstab, we 
want to copy it over to our temporary 
boot directory. To do this, issue the follow- 
ing commands: 


# mkdir /root/boot/etc 
# cp /mnt/new/etc/fstab /root/boot/ 
etc/fstab 


We are now finished with setting up our 
system. We can now unmount our file 
systems. Issue the following commands: 


# umount /mnt/new/var 
# umount /mnt/new/usr 


# umount /mnt/new 


We now want to either create a bootable 
CD or DVD, or use a bootable USB thumb 
drive to boot up our new system. To use 
a bootable CD or DVD, install CDRTools 
from the ports directory 
cdrtools). This will install mkisofs which 
we will use to create our bootable CD 
or DVD. 

Issue the following command at the 
command prompt to create our bootable 
CD or DVD: 


(sysutils/ 


# mkisofs -R -no-emul-boot -b boot/ 


edboot -o /root/boot:iso /root/boot 


The above command will take the items 
inside your /root/boot directory and 
create a proper CD or ISO image. You 
can now burn the ISO image to a CD 
or DVD using your favorite CD or DVD 
burning software. 

You. can now shutdown — your 
workstation and move the new drive to 
the new workstation or server. You will 
need to use your bootable CD or DVD to 
start up your workstation. During the boot 
up process, you will be asked for your 
passphrase. The keyfile will automatically 
be loaded (Figure 6). You will not be 
able to boot up your operating system 
unless you use your bootable CD or DVD 
media. 

Keep in mind that you have a copy 
of your keyfile within the root directory 
located at /root/boot/key/master.key. 
| recommend you delete this file and 
the ISO image you created for security 
purposes. Your ISO image also contains 
your masterkey file within it. You should 


also consider creating a second, backup, 
copy of the DVD or CD in case the first 
one gets damaged. 

If you decide to use a bootable USB 
thumb drive instead of a bootable DVD 
or CD, you need to make sure that your 
computers BIOS supports booting off 
of USB devices. To setup a bootable 
USB thumb drive, you would partition 
and format the USB thumb drive using 
fdisk and bsdlabel. You would issue 
the -s option to both so that it creates 
a bootable partition. You would then 
mount and copy over the /root/boot 
directory. 


Upgrades, Updates, and Patching 
One thing to consider when running 
this kind of setup is that if you lose your 
bootable CD or DVD, you will lose your 
whole drive. Therefore, | recommend you 
create a backup bootable CD or DVD 
and keep it in a safe, secure place. 
Keep in mind that if you need to 
recompile your kernel, you will need to 
create a new boot CD or DVD. When 
you compile a new kernel, copy over the 
new kernel to your /root/boot directory. 
Then copy your keyfile from the CD or 
DVD into the /root/boot/key/master.key 
location. After that, you can create a 
bootable ISO and burn to DVD or CD. 
Remember to delete your masterkey 
and the bootable ISO off of your hard 
drive when you are done burning your 
DVD or CD. If instead of a bootable CD 
or DVD, you are using a bootable USB 
boot drive, you will need to mount your 
USB device and copy over the updated 
kernel. 
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Jan Stedenhouder 


Setting up 


PC-BSD as a Server 


PC-BSD is so easy to install and the KDE-desktop easy enough to use that we might 
almost forget it's roots as server operating system. Now, and in the future, the majority 
of desktop users might not consider this piece of information of any value. 


ut in others, the tinkerers, it might trigger the itch to 
try their hand on setting up a BSD or Linux based 
server. FreeNAS (BSD) of ClarkConnect (Linux) are 
tailor-made for such an experiment. 

Personally, | am the proud owner of a Bubballwo home 
server, which -in essence- is a Debian-based appliance with 
an easy-to-understand webinterface to set up the file-, mail-, 
media- and printservers. My question then became: Would 
it be possible to build something similar but with PC-BSD as 
a starting point? The answer, no doubt, is: Sure, why not?. In 
this series of articles we will build up a home server, adding 
new building blocks step-by-step. The starting point is that 
of a desktop user, used as he or she is to a nice graphical 
user interface. The first article deals with installing PC-BSD as 
server, installing Webmin (a webbased tool to manage this 
new server) and making changes to the firewall in order to be 
able to use Webmin. 


Installing PC-BSD as a server 

The option to install PC-BSD as server is already part of the 
graphical installation wizard. Just put the cd or dvd in the drive 
and boot the computer. Following the wizard we need to set 
up the system language and the keyboard layout, agree to 
the license agreement, before we can select Server edition as 
installation option (Figure 1). 

This selection is the only one different from a regular 
installation of the desktop edition. The following steps of 
the wizard are exactly the same, including the possibility 
to install various desktop programs by selecting their PBI’s 
(like Amarok and Firefox). The installer proposes a simple 
setup for the disk partitions, consisting of / and swap only. 
Compare that to the suggestion made by the FreeBSD 
installer, where the option to automatically create partitions 
also provides three additional partitions (/var, /tmp and 


/usr). Experienced users can use the partition editor in PC- 
BSD to setup the partitions according to their own needs 
(Figure 2). 

Kris Moore, the PC-BSD project leader, acknowledged 
that the differences between the two install options 
(desktop and server) are minor at the moment. In fact, all 
files needed to run a graphical user interface are still there, 
the desktop is simply disabled. Changing the settings in / 
etc/ttys would be enough to get a fully functional graphical 
desktop again. Apart from this SSH is enabled and some 
networking is customized. For this article we stuck to the 
proposed disk layout and decided not to install additional 
PBI’s. 

Once the installation is finished, please reboot the system. 
The new PC-BSD server is ready for our purposes. The 
command line awaits us (Figure 3). 


Between the command line 

and the graphical desktop: Webmin 

This would be enough to start adding the various building 
blocks for our home server. We can install all the software we 
need and edit the various configuration files to fine tune the 
various servers. Once our box is up and running, it isn’t even 
necessary to sit behind the actual system. With a program 
like PuTTY we are able to access the command line from 
another computer in our network (or, when all elements are 
in place, from any computer in the world with an internet 
connection). 

Webmin makes it somewhat easier to manage and 
maintain our new server. It provides a web-based interface and 
should remove the need to manually edit the configuration files. 
This doesn’t mean that it negates the need to comprehend the 
various building blocks of our server. But more about that in the 
upcoming articles. 
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For now we simply want to install 
webmin. First, we will install webmin 
using the ports collection. As an 
alternative, we use a PBU to install the 
software. 


Installing webmin via ports 
Beginning with the 7x releases, PC- 
BSD keeps the FreeBSD ports tree 
completely separate from the PC-BSD 
base desktop system. This might not 
sit well with experienced FreeBSD 
users, but makes sense when thinking 
about the goal PC-BSD has in mind 
and its target audience. Keeping the 
two separate allows for us to play with 
the ports without affecting our PC-BSD 
desktop negatively. And changes to the 
PC-BSD desktop won't corrupt the ports 
tree. Feel free to read up on this in the 
PC-BSD Handbook (htto://wiki,jocbsd.org/ 
index.php/PC-BSD_Users_Handbook). 

The first step is to become root by 
entering: 


> Su 
and provide your administrator password. 


Then, we need to switch to -what is 
called- the FreeBSD LOCALBASE: 


# runports 
lf all is well, we see the message: 
1 OOS” x. 


Running as You may now run 


‘make’ in the FreeBSD Ports tree 
# 
During installation we opted not to 


install any additional components, which 
included the ports collection. At this point 
we need to get a new ports tree. For that, 
please enter (Figure 4): 


# portsnap fetch 


# portsnap extract 


Once this is finished we can _ install 
webmin by using’ the _ following 
instructions: 


# cd /usr/ports/sysutils/webmin 


+ take install clean 


All dependencies will be taken care 
of, but we need to stay behind our 
computer to answer a few questions 
here and there (for instance while 


Setting up PC-BSD as a server 


PC-850 Install 
Intell or Update 


Select installation choice 


{ | ® Fresh install 


PC-BSD installer 
we Select Language 


"License agreement installation Choice 


Indtadlabon Type 
__ YP 


S inctall or Update 
System Update | Repair 
WF User accounts 
WF Drive selection 
WF Components 


WF install PC-BSD) 


B 
iF 
= Desktop Edition | (=) Server Edition 
—— =! 


Installahon Method 


*. install from CO/OVo/USS incall fron bie terork 


Quack Tips 
this if a new system, with mo eucsting PC-BSD setup, you wall want to perionm a “Fresh ete 


if you are updating your eating PC-BSD system to a diferent version, of wish to repair a PC-BSD system. select “System Update | Agpair® 


Figure 1. The PC-BSD disks provide an option to install the OS as server 


PC-BSD Install 
Advanced Ck Setup 


Disk partition setup 


ai? (7) Gustemize Disk Partitions 


OMB available out of 16383466 


PC-BSD installer 
ie” Select Language 


al License agreement 


i” Install or Update 

wf Disk Fashion Setap 
User accounts 

Device Mount dre Type 

163322 MB UPS? + Som Updates 

512 Ma 


* Orive selection 
(devidalsla 


‘YW Components jdewidadslb SWAP 


Swig 
Wr install PC-BSD 


Add Edit 


Use Enoypted Swap Space 


Quick Tips 
PC-BSD can setip parttions on the particular dove / shoe you selected for install. Here you may edit the sires and mount points of partitions to At pour particular system 
needs. If you wish, you may customize the PC-85D partition setup below, changing default sizes and add of remove pactitiens 


SWAP space encrypbon is good secunty addition for portable computer users and can help quand sensitve data 


Figure 2. The PC-BSD server install chooses a simple set of partitions 


randomart 
7H46 ] 


The key's 
+--[ RSA 


oo... 


image is: 


eshd. 


Subreit : 


starting 


hy 
fetc/mail“aliases.db not present, generating 


eendea i | 


fetc/’mail“aliases: 27 aliases, longest 186 bytes, 275 bytes total 


Starting cron. 
Local package 

Yetc/rc.d/sysctl: 
Yetcrc,d“sysct 1: 


initialization:. 
WARNING: sysctl dev. pen. 8.play.vchans does not exist. 
HARNING: sysctl dev. pcen.8.rec.vchans does not exist. 


bun Aug 9 14:89:46 CEST 7889 


FreeBsSD/and64 (Cpcbsd) 
login: J 


Figure 3. For someone used to a graphical user interface this takes some getting used to 
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Running a&S root . You Hay now run 


H portsnap fetch 


Look i wey lip portsinap. Freepoll. org Hirrors 


Fetching public key from portsnap?. FreefSD.org... 


Fetching snapshot 


Fetching done. 
Fetching 
c25Sb34dd fdbeGbdaabSbd ferei 


snapshot metadata... 


"Hake ’ 


tag from portsnape. FreebsD.org... 


snapshot generated at Mon Aug 1? 
i; HOeHH / tf a bbeoHb Abe! is of SH AB 


in the FreeBsD Ports tree 


| mirrors found 
done. 


done. 


BA3:865:24 CEST 2889 


Figure 4. We need to get a clean ports tree in order to install webmin 


Error - Bad Request 


Tedd web gerver be munngng de SL eede. Try the UL bet oe ee brs ooooy 


Figure 5. Using a non-secure connection when 
SSL is enabled, webmin kindly suggests using the 
proper URL 


Start ing 
Updat Lie 
Aout i mg 


cupsd 
ving stale Sanba tdh files: 
amb. 
Gg sMbd 


ng HebHin. 
goaded Hebninlore 
tetaw dt 


ny oenyhosts, 


MOUSE: 


Figure 6. When we see this message scrolling by, 
we are certain that webmin is running/ 


installing perl). The default answers 
should suffice. 

Now we need to setup webmin, for 
which we use: 


# /usr/local/lib/webmin/setup.sh 


This scripts asks us a few questions: 


# ec /etc/rce.cont 


ee is a nice command line text editor 
which is somewhat easier to use than 
vi, not in the least because it offers 
something resembling a menu with the 
various instructions. Add the following 
line: 


webmin enable="YES” 


But this isn’t a regular FreeBSD server, 
this is a PC-BSD server and webmin is 
not installed as part of the PC-BSD base 
system. We need to create (as root) a 
symlink to the /programs/rc.a folder: 


# in -s f/usr/local/etc/rc.d/webmin 


/Programs/rc.d/webmin 


This way webmin is started at boot 
(Figure 6). 


Login: admin Mecube irate: 
@ wWebrnin 
Sorlae Card 


i 
Para Webmin user access ights 


Installing webmin using the PBI 
Another method is to use the PBI 
that is offered at http://www pbidirorg. 
Simply use webmin as search phrase 
and select either the 32-bits or 64-bits 
version. What we need is the exact 
download address for the PBI. We use 
this URL in combination with ‘fetch’ to 
get the PBI to our server. In my case it 
came down to: 


S$ fetch ftp://www.nl.freebsd.org/ 
pub/pcbsd/PBI/Utilities/Webmin/7/x64/ 
Webminl.480 1-PVO.pbi 


On a graphical desktop it now boils 
down to double-clicking the PBI and 
follow the wizard that appears. On the 
command line we need to change the 
file permissions first: 


S58 


# chmod 777 Webminl.480 1-PV0O.pbi 
Then we can install webmin by entering: 


# ./Webminl.480 1-PVO.pbi -text - 


accept 


Using the -text option tells the installation 
we are using a text-based interface, while 
the — accept options deals with possible 


Edit Webmin User 


brim Achara Lag Username adrran 
ident solo sae Pasoweanel ; ari . 
Web server port (default 10000): ervers Indes ean - 
Webern Livers Temporarily locked Force change at next login 
Login name (default admin): @ system Real name 
@ Serers _Userinterfaceoptions eee 
Login password: oe 
@ Networking SSL cortilicate name ® one 
] . ine @ Hardware 
Password: again: B chaser Language ® Delauk Alrikaans LAF} if 
i | Categorize modules? te do @ Delauk 
Use SSL (y/n): mearch Aut TS 
are Personal Lf theme ® From Webmin Configuration Old Webmin there = 
iy view Modules Logs : oe = — 
Pr YF Syatem information iInacthaty logout time ® tele OO) | minw e 
The default port for webmin is 10000. We [3.770 0" say ii 
@ er Minimum password bength ® oefauk letters 
Leepout 


IF access control 


can change the login name and should 
provide a password. It is possible to leave 
a blank password, but that’s not advised. 
Another layer of security is added by 
using SSL. Without SSL we would be able 
to access the web interface by using http: 
//server-ip-address: 10000. SSL changes 
that to httos://server-ip-address: 10000. 
(Figure 5) 

With this the installation of webmin is 
finished. To start the program we use: 


@ allow from all addresses 


Crh alee from listed addresses 


Deny rom bested addresses 


Alb eel cays ol the week - Every day 


Sunday Monday 


Oniy dolected day 


Tuesday Wednesday Thursday Friday Satunday 


Allowed times of the day @ any time From ta 


Figure 7. When installing webmin via the PBI we need to make it more secure through the webmin options 


€) https://192.168.0.139:10000/ ate 


Login to Webmin 


You must enter a username and password to login to the Webmin server 
on loa. 168.0. 135, 


tf __ 


Username 


# fusr/local/etc/rc.d/webmin start Password 


Remember login permanently? 


Clear 


lf this were a regular FreeBSD server, 
we could edit the rc.conf file so webmin 
starts at boot. To do that, please use: 


Login 


Figure 8. This shows that our installation of webmin was successful.We can login! 
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Webmin Configuration 


: ca | y 
ie om 7 
r PLS are 5 one = + aes ewer ] 30 
ao 
u = sa 7) LP q 
=z hy ser Whertace Veter Mooules stem and Lamguege 
a bg S 
ss . 
HH ~~ ns 


ee 
or 
- > 
e 
1) @0eis 
> : 
em 


Webmin is a powerful tool to manage and maintain our new PC-BSD server 


pop-ups. There are some differences with 
the ports-based installation. Using the PBI 
doesn't give us the choice to enable SSL 
(disabled by default), changing the login 
name (admin by default) or providing an 
admin password (blank by default). This 
can be changed when running webmin 
(Figure 7). 


Either way, we now have a_ working 
version of webmin on our server. We 
are, however, still not able to access it 
from another computer in our network. 
As a default most ports to the outside 
world are closed by the firewall, including 
port 10000. Installing webmin doesn't 
automagically open the gate. We need to 
edit the pc.conf file by hand: 


#ee /etc/pf.conf 


and add the line: 


pass in.on em0 proto top from any to 


(em0) port 10000 keep state 


and save the file. Port 10000 is now open 
to accept requests from all computers 
that have access to our network. Mind 
you, this isn’t the most secure setup, 
but for now it will suffice. Please open a 
browser on another computer and use 
the following url: 


https://server-ip-address:10000 
(or http://server-ip-address:10000, 
when SSL is not (yet) enabled) 


In Firefox you might be asked to add an 
exception for the specific site as the SSL 
certificate isn’t recognized. When all goes 
well we will be greeted by the webmin 
login (Figure 8). 

Figure 9 gives an indication of the 
wide range of functions and options 
that can be dealt with via webmin. In 
the upcoming articles we will add new 
functions to our server, add users and 
groups and see how far we can tweak 
it all in order to provide a stable, easy 
to use, feature rich and secure home 
server. 

PS. I'd like to add a word of thanks to 
Kris Moore who answered my questions 
quick and clear enough for me to write 
this article. 
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a Scalable Search Engine Using the BuildaSearch Web Service 


Diego Montalvo 


BuildaSearch was featured in the 4/2009 issue of BSD Magazine. While other articles 
do a fantastic job focusing on core BSD technology, | feel that it is also important to 


cover web services powered by BSD systems. 


Ss the Internet and web applications continue to - 
evolve and become both more useful and complex, - 


the operating systems behind these Internet based 
services must also evolve into more efficient and 
powerful systems. 

Being the lead developer of BuildaSearch.com, | am very 
familiar with resource intensive web services and their need for 
powerful operating systems. 

FreeBSD provides the power for one of the most unique 
and advanced BuildaSearch features: a real-time indexer, 
which produces extremely fresh search results in minutes. 

Since my early days developing WAP search technology 
via a FreeBSD back-end, | decided BuildaSearch would run on 
the same operating system. FreeBSD has become a critical 
part of BuildaSearch and its many search services. 

In this tutorial | will be covering web-based indexing technology 
and simple deployment procedures. After reading the following 
article you will be able to: crawl one or more websites in real-time, 
add a scalable search engine to your personal, business or blog 
website. Things you'll need for this tutorial: 


buildasearch 


Name Your Search 


Bubba Search is dedicated to 
finding anything on digg.com - 
Bubba is FAST! 


httpo//wwww.buildasearch.com/bubba 


Site Search 
Add Your Websites 


API Access Key 
Secret Key 


Banta Musntams On nen 


Figure 1. Giving Your Search a Name 


web server 
PHP5.x 


esl , 
sA ANN} buildasearch 
Site Search 
Add One URL Per Line (Lirwi 15 


Include Entire Url (Pret ey ab corm] 
ollows compatibility with BAS 


hetp: //www.builldasearch.cam 
http://www. starctupeene. com 


Figure 2. Adding Websites to be Indexed 


buildasearchy 


You wil be prompted when ihe process is Gone. upgrace 


http://bas. buildasearch.com/bubba 


BuildaSearch Advanced Search (BAS) «aipna)) 


Crating and txdexing search coment may take a few menutes 


Figure 3. BAS Crawler Display Screen 
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SimpleXML (enabled) in PHP 
BuildaSearch XML API 


Note: The BuildaSearch API is program- 
ming language independent you can 
use anything from JavaScript to C++ to 
parse the XML API. This tutorial provides 
a PHP5 code sample. 


Step 1. Getting Started 
Registration at BuildaSearch is pretty 
straight forward. Register and confirm 
your email address in your inbox. 

Once you login and are in the Main 
Menu click on the Name Search link, 
next you will see the Name Your Search 
interface. Begin by typing the name you 
would like to give your search. Note: only 
letters and numbers are supported. 

The search in this tutorial is given 
the name bubba at web address: http:// 
bas.buildasearch.com/bubba (Figure 1). 

Once you are finished typing in your 
search name, click on the Add Your Web- 
Sites link. In the smaller screen add the 
websites you would like to crawl. Note: 
You may add up to 15 different websites. 

It is important to add the entire web 

address including its protocol and host. 
correct: "http://www.abcl23.com" 
imeorreccs “abcl23.com" 
Once you have added your list of websites, 
click close then click on the save changes 
button. Lastly click on Continue Editing then 
home on the top menu (Figure 2). 


Step 2. Crawling the Web 

In the Main Menu click on the BuildaSe- 
arch Advanced Search (BAS) link, once in 
the BAS interface, you will notice that Buil- 
daSearch offers 500 free search pages. 

Note: You may upgrade to more pages 
but for this tutorial 500 pages is suffice. 

Click next and you will be prompted 
with the default 500 pages and with a 
character set drop-down. Note: Most 
sites use either European latin? or Uni- 
code utf8 character sets. 

Next click on continue activation once 
you are ready to begin crawling your web- 
sites, click start crawler. Note: Crawling 
and Indexing search content may take a 
few minutes. As the crawler does its mag- 
ic you will see the list of links change. 

Once all indexing processes are 
completed, you will be prompted with 
two buttons: preview search and done. 


You may test search results by click- 
ing on the preview search and entering 
your own search query into the provided 
search box. Once you are satisfied with 
testing your custom search you may 
proceed to the next step by clicking on 
done (Figure 3). 


Step 3. Using 

the BuildaSearch API 

The BAS XML API works similar to other 
APIs, simply use any programming 
language of your choice to parse and 
manipulate the feed. Your custom search 
API can be viewed at the following url: http: 


Listing 1. Simple XML Response 


BuildaSearch Web Service 


//bas.buildasearch. com/xmi/your_search_ 
name?e=query_string&bastart=-O&basco 
unt= 10. 


Step 4. Embedding and Custom- 
izing Your Search Engine 
The last step to this tutorial is parsing the 
BAS API using your choice of program- 
ming language. | have provided a simple 
PHP5 SimpleXML code sample below. 
Even though this code sample provides 
basic functionality it is a great start for de- 
veloping a more complete search engine 
which could be enhanced with: pagination, 
spell checking, CSS and more. 


<?xml version="1.0" encoding="UTF-8" ?> 


<response> 

<results> 
<query>market7</query> 
—bastotal>1/il</bastoral- 
“bastart-10</bastart> 
<bacount>1</bacount> 
<basresult> 


<title><! [CDATA[Shoaib Hashmi 


(ShoaibHashmi ) 


On [witrer | le</ticle> 


<longurl><! |CDATA [http://w titer .com/ShoaibHashm | |></longurl> 


<basummary><! (CDATA). 2. 
<b>Market7</b> Goes Big, 


reply to anumvighio RT @ startupmeme : 


Provides Google With ]]></basummary> 


<showurl><! [CDATA[http://twitter.com/ShoaibHashmi] ] ></showurl> 


<< paste sul 
</tesulles => 


</response> 


Table 1. 


Customizable Values 


your_search_name 


search name given in step one 


bastart 


starting point of search results (0) default 


total results: 100 for search startup 


with Russia's leading search engine ' Yandex... 


Go 


Russian Investor to acquire stakes in country’s top Search E 
... to acquire stakes in country’s top Search Engine Shoaib Hashmi Alisher Usmanov , ... in negotiation 


htipJ/startupmeme.convrussian-investor-to-acquire-stakes-in-countrys-... 


le Challenger Blekko Raises $11.5 Million: Still No Launch Date 
... News Jobs Reports Finance Services Search topics News Corp. Microsoft Earnings ... (1) Text Size: A 
A Print Email Share Search startup Blekko —which... 

httpipaidcontent org/article/419-google-challenger-blekko-raises-11.... 


Yahoo celebrates dead deal with Microsoft, shakes hands with Go 
... access to Yahoo to their AdSense for search and AdSense for content advertising. This means that 
the search advertising for Yahoo will now be a ... freedom to... 

http J/startupmeme.com/yahoo-celebrates-dead-deal-with-microsofi-shake... 


WordPress’ ‘Clean Notifications’: Organizes Email Notifications 
.. = December 13, 2008 View) adds Site Search Saad Ali Abbasi - November 1/, 2008 ... - November 
18, 2008 Google makes video search results neater Sardar Monkim... 
hitpJ/startupmeme.com/wordpress-clean-notifications-organizes-email-n... 


ine |... 


aidContent 


le | Startup... 


startup... 


Figure 4. Screenshot of Parsed Search Results 
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Listing 2. PHP5 SimpleXML Code Sample 


<?7pap 
header ("Content-type: text/html; charset=UTF-8") ; 
PEETEERERERETEPREREEE TERE EEE EER EH EEE EER 
# BUILDASEARCH BSD MAGAZINE EXAMPLE 
# USING BAS API 
# USING SIMPLEXML V.081909 
PEETEEEERERETEPRERERE TET EEE EET EH EEE EER 
SSECRET = 'bubba';//YOUR CUSTOM SEARCH NAME 
SOQUERY = urlencode($ GET["e"]); 
SSTART = 0; 
SNUM = 10; 
if (empty (SQUERY) ) { 
echo '<form method="get" action="">!'; 
echo '<input type="text" name="e">'; 
echo '<input type="submit" value="Search">'; 
echo, "</tormm= "+ 

} else { 


//BUILDASEARCH API URL 


SAPI = “http://bas. bua ldasearch com amily *2SSHCRET. "?e="_SQUBRRY. "Sbastart—" -SSTART." ¢bascount:—  -sNUM.""; 


//LOAD EXTERNAL BAS API 

Sxml = simplexml load file(SAPI, 'SimpleXMLElement', LIBXML NOCDATA) ; 
//DISPLAY TOTAL 

Sresult = $xml->xpath('/response/results/bastotal') ; 

while(list( , Snode) = each(Sresult)) { 

echo “total: ",snode, "<br/>"; 

} 

//DISPLAY RECORDS BELOW 

foreach (Sxml->results->basresult as S$record) { 

echo. "<a hrer=—"" -Srecord—>longurl. ">" “sorecord=-title. '</ar<br/ >"; 
echo Srecord->basummary.'</br>'; 

echo Srecord—-showurl., "</br-"; 

echo) <hr/>”- 


} 


Resources 


You can test drive the code sample in this tutorial at: htto:/www.buildasearch.com/ 
bsdmag/ 
Obtain the code sample at URL below: http://www. buildasearch.com/bsdmag/source.phps 


Table 2. 


BuildaSearch API Return Values 


query search query 


title title of search results includes bold highlighted text 


basummary text summary includes bold highlighted text 


bastart result set starting point 
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Conclusion 

Adding an advanced search engine to your 
website can be done in minutes instead 
of hours. As BuildaSearch technology 
improves, more and more advanced 
features will be implemented into our 
web service. If you have any questions 
or comments feel free to contact me at 
diego@ earthoid.com. 


About the Author 


Diego Montalvo is the founder and the core 
developer of BuildaSearch.com. When he 
is not behind the old computer, he enjoys 
chilling out, biking, painting, reading and a 


cold pint of Guinness. 
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is NetBSD 


ready for a desktop? 


Petr Topiarz 


In this article | am focusing on the usability of the NetBSD as a desktop. | would like 
to show what NetBSD can do today and whether it is mature enough to challenge PC- 


BSD or Linux. If you want to know, keep reading. 


his article will not explain how to install NetBSD as 

that has been covered by many other articles, but 

how to tweak it and hack it to make it work similarly 

user-friendly and comfortably like a current standard 
Linux distro. 


The idea of a NetBSD desktop 


| wonder if you ever had a NetBSD desktop. | used to run it, 


mainly for fun, three years ago as my secondary desktop. It - 
was a lot of tweaking and tuning, but after patching kernel and _ - 
doing a lot of hacks it was quite nice —- even with a splash .- 
screen when loading. However, a lot of things | needed were - 
not working reliably. A year ago, or two, the pkgsrc collection - 
(the main source of third party packages) went through - 
major changes and both Gnome and KDE did not compile - 
successfully for months. So | stopped using it. The problems at - 
that time could be clearly attributed to switching X-server from_ - 
Xfree86 to Xorg, which required changing lots of dependencies - 


and introducing new ones, but they were enough to keep me 
off the NetBSD system for a long time. 

However, few months ago Jared McNeill and Andrew Doran 
announced they were starting the NetBSD Desktop project. 
You can read about it at: http://wikinetbsd.se/Desktop_Project 
Their aim was a fully featured gnome desktop with everything 
that Linux distros such as Ubuntu or Fedora run today regularly. 
Even automountig with hal and all the stuff. What a surprise, 
| said to myself, | knew the former name very well, as it was 
the developer who helped me patch the kernel for the loading 
splash three years ago. | began interested and tried to install 
Gnome. It compiled well both from the stable sources 200901, 
and 200902 and even on current. | tried automounting with hal 
and it worked (after asking Jared Mc Neill for help again). | tried 
Flash 10 on native Firefox 3 and it worked. Well, it really seems, 
there is something going on in the NetBSD world! If you like 


a preview of what we can expect from the NetBSD Desktop’s 
project, here come my notes of how to install NetBSD with all 
what a desktop needs. 


What a desktop needs 
Let's find out what a regular spoiled Linux user expects from 
a desktop: 


complete Gnome or KDE 

nice splash while loading and cool look 
automounting USB and CDROM devices 
easy printing 

easy CD burning 

easy scanning 

OpenOffice, PDF-reader, streaming player 
Skype, ICQ, Jabber, etc 

DVD playing 

Internet streaming music playing 


and a lot of other special things, | believe. Even though the 
items above are probably standard, I'll take you on a guided 
tour and we'll see if those things work on NetBSD or not. 


The binary packages 

The package management system on NetBSD is very unique. 
Thanks to backwards compatibility you can theoretically use 
a package compiled for two years old release on the newest 
kernel and userland. You can also use the newest packages 
on a two years old kernel and userland, e.g. Use 200902 
branch packages on NetBSD 4.0 if you like. If you use a 
package compiled for a different release, it does not always 
work, but if there are not many changed dependencies it is 
likely to work. In some cases, that can save you, when the 
current package will not compile. It has its advantages and 
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drawbacks. It was more then once that 
| had to use a package compiled for 3.0 
release with an old packages branch on 
my 4.0 release, if | remember correctly, 
it was the rsync package, when it failed 
to compile. Of course, you never can 
achieve that stability and perfection like 
with the OpenBSD packages compiled 
only for one Xenocara release and kernel 
version, however, it often allows you to 
find a solution when the current package 
is missing, especially if the package 
does not have too many dependencies. 
You can find the packages for intel 
platform on: fto://ftp.netosd.org/pub/pkg 
src/packages/NetBSD/i386/5.0_ 
200902/All, the number 5.0 refers to the 
release of NetBSD the number 200902 
refers to the frozen state of PKGSRC after 
the 2nd quarter of the year 2009 to use 
that normally as a repository you have to 


# export PKG PATH=ftp:// 
ftp.netbsd.org/pub/pkgsrc/packages/ 
NetBSD/i1386/5.0 200902/Al11 


If you want it to be permanent then paste 
the above line into /etc/profile — if it 
does not exist, you have to create that file 
using the packages. Then it is very easy: 


adding a gnome desktop package: 
# pkg add -v gnome 

deleting the rsync package: 
# pkg delete rsync 

deleting all packages at once: 
# pkg delete '*!' 


This can be very useful if you are 
upgrading from one set of packages 
to the newer, e.g. From 200901 to 
200902. 

finding out which packages are 
installed: pkg info on searching for a 
package | truly recommend Swedish 
web engine: http://pkgsrc.se. 


It is very helpful in finding any package or 
its proper name or version. It allows you 
to search all packages or only those in 
CURRENT branch or the stable 200902 
branch or earlier. 

| do not use packages from NetBSD, 
and | do not recommend it generally. 


Is NetBSD ready for a desktop? 


Thanks to the backward compatibility 
and possibility to compile packages from 
almost any branch against any release of 
NetBSD and any kemel, a number of them 
are often not compiled against the same 
kernel and userland as you are using, So 
they do not always work as expected. 


My latest bad experience was the 
GDM binary from the 200901 that 
installed without hesitations but always 
collapsed when trying to start. After 
searching in the error the logs | found 
out the binary was trying to use the old 
version of X server and so | had to make 


Listing 1. rc.conf 


# SNeCESD: re,eont,v 1,96 2000710714 17301-2909 waz Exp © 

# 

# see rc.conf(5) for more information. 

# 

7 Use PLogram—lio GO renaole preg am, NO fo Vdisaole it. program tags sare 
# passed to the program on the command line. 

# 

# Load the defaults in from /etc/defaults/rc.conf (if it's readable). 
# These can be overridden below. 

# 

af [ =< /ece/detaults/rc7cout |) then 


, (ete; deraulirs/ re .cont 
fi 
} 0f Ghis 2S not ser co Ves, 
# 


ile) elolcnbloniligers das 


the system will drop into single-user mode. 


# Add local overrides below 
WSCOMe— lio 
dhclient=YES 
sshd=YES 
famd=YES 
rpcbind=YES 
dbus=YES 
hal=YES 
avahidaemon=YES 
gdm=YES 
cupsd=YES 
slpd=NO 


Listing 2. Adding more applications 


#! /bin/sh 
cd Just/pkgsrc/print/cups && 

make install && 

cd /usr/pkgsrc/sysutils/gnome-volume-manager && 
make install && 

cd /usr/pkgsrc/multimedia/adobe-flash-plugin && 
make install && 

cd /usr/pkgsrc/www/firefox3 && 

make install && 

cd /usr/pkgsrc/www/nspluginwrapper && 

make install && 

cd /usr/pkgsrc/net/skype && 

make install && 

echo "Skype, 


firefox3, nspluginwrapper, flash and cups printing system have 


installed succestully om your syscem! 
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link from the new to the old directory 
to make it work. So what do | use and 
recommend? | use packages that | 
compile myself and | use the magic of 
pokgsrc — the packages source. 


Pkgsrc 
PKGSRC is a system similar to FreeBSD’s 
ports and portage in the Linux world. 
PKGSRC is a hierarchy of folders and 
files where information how to compile 
packages, where to get them, how to 
patch them and pack them for NetBSD is 
stored. And it works. It works on NetBSD, 
it works on OpenBSD, Solaris, DragonFly 
BSD, Linux.. probably even on a more 
recent version of a kitchen toaster. 

Once you get into it and understand 
how it works and how to hack it, nothing 
will stop you. 


NetBSD has a great documentation 
and you will find there where to grab 
it and how to install it. Once installed, 
the PKGSRC resides in /usr/pkgsre 
on a NetBSD machine. There are not 
only sources of real packages but also 
sources of so called meta-packages. So 
make sure your connection to the Internet 
works, become root and descend to the 
folder called meta-packages and go to 
the gnome folder: 


> Su 


# cd /usr/pkgsrc/meta-pkgs/gnome 


Then you can have a look at the Makefile 
where information of what will compile is 
stored. 

You can comment out some things 
or add others if you like, however, you 


spanners.hairylemon.org :; Thu jan 25 


} z = J C=, er a 
\ Browse pkgsre Branch: CURRENT, pkgsre-200907, pkgsre-700001, pkgsne-200804, ... ide by Garoghe 
+ virtual 
arochivers : 
audic 2009-08-22 | UPDATED (1.46 => 1.48) dled 
Deachmarks lextprocidiffstat Eeabatn jaye. 
a COMMENT: Display a histogram of diff changes 
chat MAINTAINERS): 51) 

- Insurance 
converters Cre Sang doe all your 
woes Genqal insurance 
crosspkgtools 2009-08-22 / MEW PACKAGE (L23) neaonasncia Say 
eval devellp5-Proc-Queue SAC ILomband comand 
doc COMMENT: Limit the number of child processes running 
editors MAINTAINERS): pkgsrc-users 
emulators 
filesystems 
finance 
teebee 2009-08-22 / UPDATED (1.1nb1 => 1.3) 
geography devellcflow . 
daha COMMENT: Code-path flow analyzer for C 
inpuimetiod MAINT AINER(S): pxgsrc-users 
lang 
mail 
maih , 2 ee ea ee a eee a = 


Figure 2. pkgsrc website 
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should know what youre doing before 
doing so. Then you tell the system to 
install the complete desktop: 


# make install 


and the circus starts, after a day or two 
— depending on your connection speed 
and PC capabilities, your gnome desktop 
is there and you will see this message 
appear. 


SNetBSD: MESSAGE,v 1.6 2009/03/17 14: 
46:39 jmcneill Exp $ 


In order to get the GNOME Desktop 


running properly, you need to follow 


these manual steps: 


1) Enable the File Alteration Moni- 


bor, 666 pkg info -D- Tam Tor more 


information. If you chose to use 


gamin instead of fam, you do not 


need to take this step. 


2) Enable the system dbus’ daemon. 


In order to do. that, copy the 


S{PREFIX}/dbus script to /etc/ 


rce.d and add dbus=YES to your / 
etc/rce.conf file. 


3) Enable the hal daemon if GNOME 


has been built with the hal option 


(the default). In order to do 


that, copy the S${PREFIX}/share/ 


examples/re.d/hal script to /etc/ 
rce.d and set hal=YES in your /etc/ 
rc.conf file. 


4) Enable the cups daemon if you 


installed it. In order to do that, 


copy the S{PREFIX}/share/examples/ 
re.d/ (cupsd,slod) scripts co 7erc/ 
rc.d and set cupsd=YES and slpd=NO 
in your /etc/rc.conf file. 


5) Set up the gnome-screensaver 


PAM service by creating the / 


etc/pam.d/gnome-screensaver file. 


You can use one of the files in 


S{PREFIX}/share/examples/gnome- 
screensaver/pam.d as templates. 


6) Optionally enable the Avahi DNS 


Service Discovery service if you 


installed it. In order to do that, 


copy the S${PREFIX}/share/examples/ 


rc.d/avahidaemon script to /etc/ 


re.d and set avahidaemon=YES in 


your /etc/rc.conf file. 


7) Optionally enable GDM (highly 


recommended). JUS the 


copy 
${PREFIX}/share/examples/rc.d/ 
gdm script to /etc/rce.d and add 


gdm=YES to your /etc/rc.conf file. 


You really should do what they say if you 
want your computer run gnome properly. 


The /etc/rc.conf 

To explain what is going on one has to 
understand how the system works. Pkgsrc 
does not make applications and servers 
start automatically instead — it leaves the 
choice up to you. So it installs all the starting 
scripts Into: /usr/pkgsrc/share/examples/ 
rc.a/ They do nothing there, however, if you 
copy them into /etc/rc.a/ they are ready 
to use by the rc.cone file containing main 
system start-up configuration. The rc.conf 
is a the main starting script config. NetBSD 
uses only this one, in fact. In FreeBSD there 
are also other files to use for starting scripts 
and modules loading besides /etc/re.cont 
and in OpenBSD /etc/rc.cont is rather 
stagnant as most configuration happens in 
Jetc/rce.local ON /etc/rc.conf. local. 


Is NetBSD ready for a desktop? 


Under NetBSD you have a _ very 
simple control over everything that 
the system launches just in one file. 
Services are switched on with simple 
YES and off with simple NO and you are 
ready to go! This choice makes NetBSD 
very powerful. The creators of a rather 
recent linux distribution, the Archlinux, 
who understood the advantage and 
adopted this concept too. 

So if you want to have an openssh- 
server running on your desktop just 
add sshd=yes intO your /etc/rc.cont. 
A sample rc.conf, that is enough for 
running a desktop looks like this (see 
Listing 1). But let us move back to 
pkgsre. 


The /etc/mk.conf 
The file called contains 
information on compiling. You can put 


mk.conf 


Listing 3. Editing /usr/pkg/etc/PolicyKit/PolicyKit.conf\ 


“<i vwersion— ih. 0" encoding "ULh— BN? > == Me = 


<!DOCTYPE pkconfig PUBLIC "=-//freedesktop//DID PolicyKit Configuration 1.0/ 


/EN" 


"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd"> 


<!-- See the manual page PolicyKit.conf (5) 


<conhig versron—"O.i"S 


<match user="root"> 


<return result="yes"/> 


</match> 


<match user="peter"> 


<return result="yes"/> 


</maten— 


for file format --> 


<define admin auth group="wheel"/> 


</ comiig-= 


Listing 4. Scanning 


# sane-find-scanner 


sane-find-scanner will now attempt to detect your scanner. 


# 
# result is different from what you expected, first make sure your 
# 


If the 


scanner 1S powered up and properly connected to your computer. 


# No SCSI scanners found. If you expected something different, make sure 


aia 


# you have loaded a kernel SCSI driver for your SCSI adapter. 


found USB scanner (vendor=0x03£f0 


scanjet]) 


[hewlett packard], product=0x4105 


[hp 


at libusb:/dev/usb0:/dev/ugen0O 
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various options here, but for the moment 
we will stick to allowing pkgsrc to compile 
things we need and accept licenses and 
add these lines to /etc/mk.conf: 


ACCEPTABLE LICENSES+= flash-license 


ACCEPTABLE LICENSHSt= skype=license 


If you are interested what you agree with, 
go to the pkgsrc file containing sources 
of that program and issue the following 
command: 


S cd /usr/pkgsrc/net/skype 


S make show-license 


Adding more applications 

We now have a nice NetBSD desktop 
with GNOME environment, but we are 
still nowhere, no Firefox, no Flash, no 
automounting no nothing a spoiled Linux 
user considers appropriate for a desktop. 
Here is a sample script that will do the 
choice for you, feel free to change it to 
your needs (see Listing 2). 


okgsrc on a laptop 

You have probably noticed that a Gnome 
desktop compiles a day or longer and 
another extra hours are needed to 
compile the rest of applications you 
want. Who can stop using his/her laptop 
for three days or longer? Here packages 
come handy. As | showed above, 
packages from the Internet repository 
can be rather a risky solution. So let's 
make them on our own, there is nothing 
easier. For example using a script (| bet 
there is hundred people who can make 
it more simple and clean, but this one 
works): 


#! /bin/sh 

for 1 in /usr/pkogsrce/*/7= 
do 

if test =d: Oi 

then cd $i 

if test -d work 

then 

make package 

fi 

fi 


done 


This script searches your PKGSRC 
collection to find which packages have 
been compiled (they are the folders which 
have stale work in them) and proceeds 
with making packages. The compiled 
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packages appear in your /usr/pkgsrc/ 
packages/All folder Now you can copy 
them to your NetBSD laptop and then go 
to the folder with packages: 


# pkg add ./gnome ./skype ./firefox3 
(and similarly on, it solves 


dependencies well) 


or simply: 
# pkg add * 


Then quick installation from packages 
breaks out and your laptop is ready in a 
few minutes. Of course, you have to do 
the configuration job with xrc.conft and 
copy starting scripts again. This can be 
done on slow computers or emulated 
machines as well. 


Cleaning pkgsrc 
After the installation process, you will find 
out that your /usr partition is running out 
of space. That is because after cleaning a 
lot of pkgsrc files still contains stale work. 
The official web-site tells you that the 
only safe way to clean ports is to go to 
the main directory and do the following: 


# cd /usr/pkgsrc/ 


# make clean 


| | 
TA_PURE.SYS 


9 pologek, Voli misie: 408.2 MB 


Figure 3. Automounting with Hal 


After two or three days the pkgsrc is perfectly 
clean. The average person does not have 
that much time, so if you want to save some 
time, here is a script for your comfort 


#! /bin/sh 

for i in /usr/pkgqsrc/*/* 
do 

if test -d $i 

then cd $i 

if test -d work 

then 

make clean 

fi 

fi 


done 


Configuring and tweaking 

Well, now we think the basic work is done. 
Yes, we have the applications, but most of 
them will not do what we want yet. 


Make flash work 
As root issue ad command: 


# nspluginwrapper -1 
/usr/pkg/lib/ 
netscape/plugins/libflashplayer.so 
dle are 


Original plugin: 
Wrapper version string: 


This shows us where the plugin lies. 
Therefore we know what to install: 


~ 
ww 
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# nspluginwrapper -i /usr/pkg/lib/ 
netscape/plugins/libflashplayer.so 


Now fire up your Firefox 3 and you 
are in a flash heaven on Youtube. See 
the screenshot from youtube.com 
(Figure 5). 


Make hal automount 
the USB flash key and others 
Make sure you have installed gnome- 
volume-manager. Then — edit 
pkg/etc/ PolicykKit/Policyhit,. cont \ 
and make sure it looks like this (see 
Listing 3). You need to change this line 
<match user="peter"> to whatever your 
username is. This gives you the power 
to mount volumes with hal and more, 
e.g. Suspend and resume. Originally, this 
file only allows root to mount volumes. 
It can be edited much more cleverly 
using groups and such. See study hal 
pages about Policykit if you like: http: 
//hal.reedesktop.org/docs/PolicykKit/. 
Now, the usb-key mounting or cd- 
rom mounting should work. In case you 
still come across any difficulties, check 
if cdrom or usb is quoted in your /etc/ 
fstab. If So, Comment out those lines. Hal 
does not use /etc/fstab for mounting 
usb-keys or CDs. See the screenshot 
showing automounted USB Iriver player 
T20 (Figure 3). 


fesr/ 


Make Skype talk 

Skype works under Linux emulation on 
NetBSD. It takes some time to start and 
| haven't found a solution how to make 
sound on Skype work with Pulse audio, 
that comes compiled with Gnome 2.26. 
now. If you kill pulse audio server, things 
can work. It is in the process now, clearly, 
as in 2009Q2 skype 1.4 only chatted. | 
had to download Skype 1.3 from the 
NetBSD distfiles and after unpacking 
and running it! could call, it was stable 
and | could speak and hear everyone 
normally. In current pkgsrc, Skype 1.3 
did not speak to me at all while the nice 
Skype 1.4 did play sound and before it 
got completely stuck it even started to 
record from my microphone. It is very 
probable that even version 1.4 will soon 
work. 

To make Skype talk you have to 
do several adjustments to the system 
settings. 

In any case, to use skype as a user 
you have to ajust your permissions of 


Is NetBSD ready for a desktop? 


/dev/sound* /dev/audio* QGNd /emul/ Then enable your system to recieve # audioctl -w fullduplex=1 
linux/dev/dsp* /emul/linux/dev/sound*. and send audio at the same time: 
This will switch your microphone on: 


Terminal 


Soubor Upravit Zobrazit Terminal Napovéda 
# nspluginwrapper la}]} # mixerctl -w inputs.mic.mute=off 
nspluginwrapper, configuration tool. Version 1.2.2 


And adjust microphone recording level: 


usage: nspluginwrapper [flags] [command [plugin(s)]] # Mixerccl —w inputs .mic=240 

-h --help print this message :; Rian 

iy wcpeeeme flag: set sos sialies Make CUPS print from all applications 

-a --auto flag: set automatic mode for plugins discovery By default the path is setup so, that when 
-n --native flag: allow native plugin(s) to be wrapped — T . 

-1 --list list plugins currently installed printing applications are set-up to use 
-u --update update plugin(s) currently installed /usr/bin/lp instead of /usr/pkg/bin/ 


-i --install [FILE(S)] install plugin(s) 
-r --remove [FILE(S)] remove plugin(s) lp. We need to be able to use cups, so 
we have to do the following (saving the 


original files): 


ep fusr/bin/lo 7usr/bin/ lo.old 


cd nspluginwrapper = | ep /usr/bany lpr jusr/bin/lpr.old 
nspluginwrapper: expected plugin(s) file name to install 
# nspluginwrapper -1 
/root/.mozilla/plugins/npwrapper .libflashplayer.so 
Original plugin: /usr/pkg/lib/netscape/plugins/libflashplayer.so 
Wrapper version string: 1.2.2 
aR 


ep f/usr/bin/log /usr/bin/ lpg sold 
ep /usr/bin/lorm /usr/bin/s lorm.old 


Linking cups’s lp files to the original 
expected path: 


a ee | 
Se OE HEHE 


Figure 4. Using nspluginwrapper 


™ Aplikace Mista Systém Aaa o) Fri, 21. August, 19:32 @ 


YouTube Njord of the rings main theme- howard shore - Gran Paradiso 
File Edit View History Bookmarks Tools Help 


http://www. youtube.com/watch?v=prZ4RWWku7Y 


fj Most VisitedY Getting Started [\)Latest Headlines Y 


You Tube Create Account or Signin 


Home Videos Channels Subscriptions History Upload 


lord of the rings main theme- howard shore 


S| sonory 2 _ Subscribe 
January 26, 2007 

(more info) 
thanks to TCUSniper for finding the title of the 
song it is: Howard Shore - The Road Goes Ever 
On Pt.1 hope you can all find it on the net and 
i hope you'll all enjoy it, as you hopefully will 
en... 


URL | http:/Awww.youtube.com/watch?v=prZ4t 


Embed | <object width="425" height="344"><p) 3 


> More From: dagaroth 
Y Related Videos 


Soundtrack of the lord 
| of the rings the two 
331,380 views 
KINGKONG141414 

Featured Video 

7 i ics Wi AZ) Lord Of The Rings 
{] Or 0:29/5:53 «il = _ ie | eels Theme Senn ? 
/_ im, 738,633 views 

*& & & kk 4,460 ratings 1,460,659 views timmehmatwey 


Battle Hymn lord of the 
rings 


136,080 views 
Facebook MySpace Digg (more share options) 5:3 Sapou8l1p 
oo 4 


Favorite *% Share Playlists Flag 


Lord of the rings - 


> Statistics & Data Rohan theme - Piano 
} 169,972 views 


Y Video Responses (8) Sign in to post a Video Response jE3 Bae) tolkienfantasy 


] a. ae TT iim.| Rohan theme 
| 164,605 views 
&9 braveark 


~~ CelloRec... ~ TiBeauti... ~~ joelsiife QE Enya - Lothiorien [Lora 
View All - Play All of the Rings 

; 540,474 views 

Y Text Comments (3,344) Options Sign in to post a Comment oleenkam 


; | Horward Shore - 
Atariz10 (11 hours ago) Reply 0 Concernina Hobbits lv) vy) 


Transferring data from v17.lscache7.c.youtube.com... 


Figure 5. Flash in Firefox 3 
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Notes 


If you run PKGSRC package system on a 
different system, it is likely that your pkgsrc 
file is in a different location. In that case 
you have to change /usr/pkg prefix in the 
above examples to whatever your prefix is. 
All tests and installations were done on a 
Pentium 4 2GHz with 512MB RAM, system 
description: NetBSD 5.99.15 NetBSD 
5.99.15 (GENERIC) #0: Fri Aug 14 23: 
02:59 PDT 2009 builds@wb33:/home/ 
builds/ab/HEAD/i386/200908140002Z- 
obj/home/builds/ab/HEAD 
/src/sys/archi386/compile/GENERIC i386 
following websites were used and are 
related to the above text: 


http://wiki.netbsd.se/ 
http://okgsrc.se/ 
http:/vww.netbsd.org/ 
http:/vww.openunix.eu/ 


#¢ In —s fusr/pkg/bin/lp f/usr/bain/ Ip 


# In -s fusr/pkg/bin/lpr /usr/bin/lpr 


# ln -s /usr/pkg/bin/lpq /usr/bin/lpq 


# ln -s /usr/pkg/bin/lprm /usr/bin/ 


prin 


Then open any internet browser window 
and go to: http://localhost631 or http: 
//1270.0.1:631 if the former option 
does not work. Administering cups is 
a rose garden walk with that interface. 
Of course you might want to install 
additional drivers from hpijs and hplip. 
You can do that using the pkgsre. 


Scanning 

If you want to scan as a user with a usb- 
connected scanner, install XSane and 
adjust devices to be readable and writable 
by your user. If you add yourself to the wheel 
and operator groups then it is enough to 
change the permissions as follows. 

In my case, after investigating where 
the scanner is connected, it is done as 
root like this (see Listing 4) | knew | had 
to adjust permission of these files: 


# chmod 660 /dev/usb* /dev/ugen* 


Then | ran the testing command as a 
user and | got a positive answer. 


$ scanimage -L 


device “hp3900:libusb:/dev/usb0:/dev/ 


ugen0O' is a Hewlett-Packard Scanjet 


4370 flatbed scanner 


Now | knew Xsane would find the flatbed 
scanner even for a user. 


Burning CD's 

If you want to burn cd’s you have to adjust 
/dev/cd0* /dev/rcd* to be readable and 
writable by user. If you add yourself and 
operator groups to the wheel then it is 
enough to: 


# chmod 660 /dev/cd0* /dev/rcd* 


Then you should check that your favourite 
cd-burner knows that the cd device is 
/dev/rcdo or similar. 


Playing DVD's with 

and without encryption 

First do the same permission adjust-ments 
as in the case of Burning CD's. Then, if you 
install vic or use totem (part of Gnome) or 
xine-ui, playing DVD is no problem. 

There is an issue with encrypted 
DVD’s. Remembering playing encoding 
DVD's is licensed and restricted in many 
countries. If you are in the country where 
it is allowed, you can install libdvdcss, 
but have to tell the system where to get 
the source and that we agree to the 
license. Add these two lines: 


LIBDVDCSS MASTER SITES=http:// 
download.videolan.org/pub/libdvdcss/ 
ACCEPTABLE LICENSES= libdvdcss-license 
into /etc/mk.conf and then go to 
terminal: 


# cd /pkgsrc/multimedia/libdvdcss/ 


# make install 


Nice look and NetBSD branding 

When the GDM _ starts you see a 
very modest login window with grey 
background and a small NetBSD logo. 
NetBSD logo also appears at the menu 
of Gnome. That's in fact all. There are 
various nice backgrounds in the Internet, 
you can download and use, but not many. 
If you download kernel sources open the 
kernel configuration file and uncomment 
the following files, a kernel compiles with 
a nice splash screen with progress: 


# enable VGA raster mode capable 


of displaying multilingual text on 
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console 
# enable splash screen support; 
requires hw driver support 


opeLons SPLASHSCREEN 


options SPLASHSCREEN PROGRESS 

It is not too modern, however it is quite 
stylish and nice. Orange and silver logo 
with blinking dots on the right bottom. If 
you read what Jared McNeill and Andrew 
Doran proposed for the NetBSD desktop 
we can expect visible improvement. By the 
way, if | am not mistaken, Jared McNeill 
was the person who made the current 
splash screen for NetBSD kemel. 

If you want to see what the future 
of NetBSD on the desktop is, you can 
have a look at the new proposed GDM 
screenshot for NetBSD Desktop (see 
Figure 1). 


Conclusion 

Though it does not have a 3-click-installer 
and it really takes some time and 
knowledge to set-up and tweak, almost 
everything that a desktop needs works on 
NetBSD. You can play Flash in a browser, 
you can listen to music streams, play 
DVDs, burn CDs, chat and (with some 
effort) talk over the Internet, automount 
usb-keys, mount Linux and Windows 
volumes, write documents, print and scan 
whatever you like. That means immense 
progress has been done by NetBSD 
developers (with the support of donators 
in Fund-raising Campaign last year and 
this year again) since last year compared 
to what NetBSD was a year ago. And the 
most promising point here is — if Andrew 
Doran and Jared McNeill accomplish 
their aim and bring up the NetBSD 
Desktop project to life, it will definitely be 
a challenge for PC-BSD or modern Linux 
desktops. 
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FreeBSD 


on the SheevaPlug 
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Though NetBSD Is better known for supporting a wide variety of processors and systems, 
FreeBSD has an active embedded component, as well. In this article, we'll take a look at 
the ARM-based SheevaPlug and show you how to boot your Plug using FreeBSD. 


he SheevaPlug (SP) is the archetype of the plug 

computer, a new style of small computer whose 

distinguishing feature is that instead of plugging 

into a wall wart for power, it is the wall wart (see 
Figure 1). Built around the Marvell (www.marvell.com) 
88F6281 Kirkwood line of SOC (system on_ chip) 
processors, the SheevaPlug comes with Gigabit Ethernet 
(but not wireless), USB, and 512 MB of both system RAM 
and NAND Flash memory. A disassembled SP is shown in 
Figure 2. The Kirkwood processor supports a large number 
of peripherals as shown in Table 1, only a few of which 
are used by the SP. The SP is touted as a development 
system by Marvel and comes with an internal interface 
board that adds a SDIO memory slot and a mini-USB port 
that provides access to a serial port console and JIAG 
port as two different com ports. The SP is available from 
Globalscale Technologies (www.globalscaletechnologies.c 
om) for around $99US. 


Listing 1. CSUP Control File (sheeva.supfile) Used To Download FreeBSD 
Source Code 


1. # IMPORTANT: Change the next line to use one of the 
CVsup Mirror Sites 

2. # listed at http://www. freebsd.org/doc/handbook/ 
Micrors:. haan 

3. *default host=cvsup8.FreeBSD.org 

4, *default base=/var/db 

5. *default prefix=/home/hayford/sp 

6. *default release=cvs tag=. date=2009.08.09.00.00.00 
7. *default delete use-rel-suffix 

8. *default compress 

g 


4 See —eILIL 


Figure 1. The ShevaPlug Computer. The USB and GigE ports are on the left, 
and the debug devices (mini-USB and SDIO memory card) are on the right 


Figure 2. The SheevaPlug Disassembled. The circuit board on the far right 
contains the development hardware (serial console, JTAG interface, USB, and 


SDIO interfaces). The circuit board in the center holds the Marvell processor, 
Ethernet port, USB port, and system memory. The power supply is under the 
metal plate in the case on the left side 
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According to the PlugComputer 
website (www. plugcomputerorg, operat- 
ed by Marvell), A plug computer is 
a tiny, low power server, intended to 
provide network-based services within 
the home..lt is an always-on system, 


and can serve data and applications 
to computing devices within the home. 
It can also be a bridge between home 
computing devices and Internet-based 
services. Low power in this case, 
means about 15 W, definitely less 


Steps Required To Build FreeBSD For The SheevaPlug 


—Upe Upp sUp> sUpp sUpp -aUpp aUpr sUpp apr 
SS 


exit 


se UP SESS SSS SE SSSR 


setenv DESTDIR /usr/home/hayford/sroot 
mkdir -p SDESTDIR 

make instaliworld TARGET ARCH=arm 
Make distri -oirs TARGET ARCH-a rm 


Make GisterpoultOnm TARGET ARCH=a rm 


make Dbuildkerne!l TARGET ARCH=arm KERNCONP sez VAPLUG 


Comparison Of The Hardware Capabilities Of The Kirkwood Processor And The SheevaPlug 


Clock Speed 1.0 - 1.2 GHz 
L1 Cache 16K data, 16K program 
L2 Cache 256 kB 


Memory Interface 
Ethernet 


16-bit, DDR2, up to 800 MHz 
2 — GigE Interfaces 


PCI-Express 1 Port 

USB 1 USB-2.0 Port with integrated PHY 

SATA 2 SATA 2.0 Ports with integrated 
PHYs 

TDM Channels 2 

SD/SDIO/MMC 1 

NAND Flash 8-bit NAND flash interface with boot 
support 

SPI 1, up to 50 MHz clock 


TWSI (Two Wire Serial 
Interface) 


1 General purpose master/slave port 


UART 2 Available 
Audio I2S/SPDIF 
Video MPEG Transport Stream 


3 lar 

Same 

Same 

512 MB 

1 — GigE Interface 
None available 
same 


None available 


None available 


1 SDIO slot (can also be used as 
General Purpose IO) 


912 MB 


None available 


None available 


1, Serial Console Interface and 
Debug Interface 


None available 


None available 
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than a standard desktop or laptop. 
One variety of plug computer, based 
on the same base design as the SP 
is the Pogoplug (www.pogoplug.com), 
a device that allows you to put a 
USB storage device on the Internet so 
you can access your data from any 
computer. The Pogoplug doesn’t have 
the same development capabilities as 
the SP, so if you're interested in system 
level programming, stick with the SP 
More recently, a slightly more expensive 


. ddms=-update-style ad-hoc; 
Cpe Lom sUbnek—Mmasic 255.2 oc 10 


default-lease-time 2592000; 
allow bootp; 
allow booting; 


COUMOn bout ercs ho Ge. isle 


Ke © = @G@y Gh cS ww bs fF 


4 Ado ehese lines £o re.conr 


2 WEES Sie Reis cielo naisya 


5 puulenbugherel) Vilele(s aS in 4 


1 

2 

Ss epcb ind enable — vio” 

é 

a, Soe locked emalbile= vin. 
6 


7 Spe Saba yemaloke = iS) 


Optlon domeaim=nMame-Servers xXsGe. xxx. xx «xxx; 


device has become available that takes 
better advantage of the Kirkwood’s 
capabilities; see www.open-rd.org for 
information on the SP’s big brother, the 
OpenkRD platform. 

Not surprisingly, the SP comes with 
Linux preloaded in the flash memory, 
along with U-Boot, a powerful boot 
loader that has become very popular 
on ARM-based devices. Both FreeBSD 
and NetBSD offer support for a number 
of varieties of ARM devices, and Rafal 


Listing 3. DHCP Configuration File On The DHCP Server 


OpElon broedeact-addwess 192.165 255; 


# Use your nameserver address 


LO. subnet. o> 168. 1 nebmeask 255.255. 255.004 


Listing 4. Fragment Of The File etc/inetd.conf On The TFTP Server 


1, # HUN Comsat as root to be able to print partial mailbox contents w/ bitff, 
2. # or use the safer tty:tty to just print that new mail has been received. 
3. #comsat dgram udp wait tty:tty /usr/libexec/comsat comsat 

4. # 

D. ¢ Qbelk 2s required for the ‘calk’ Weility co work correc tiy 

6. #ntalk dgram udp wait tiystty /usr/libexec/ntaikd ntalkd 

eee ee dgram udp wait FOOt /usr/libexec/tftpd 

See teieo dgram udp6é wait root /usr/libexec/tftpd 


Listing 5. Add These Lines To /etc/rc.conf To Enable The NFS Server (FreeBSD) 


Jaworowski_ (http://www.semihalf.com) 
recently announced support for a 
number of Marvell devices on the 
FreeBSD-ARM mail list. Consequently, 
it is now possible to build a version of 
FreeBSD that will boot on the SP. While 
building and running FreeBSD on an 
embedded processor is_ interesting 
in its own right, we will also use this 
Opportunity to compare the NetBSD 
build and installation process. with 
FreeBSD’s. 


# Put your NFS server here 


alia, Bange Io7 168. i dO S72, heey leo 

2a: } 

dea 

ia Group { 

ibae host sheevaplug { 

en hardware ethernet 00:50:43:XX:XX:XX; # Use your MAC address 
ie iixed=address 192 168.1, 103; 

18% next=server 192.1638-1.171; # Use your TFTP server address here 
EO Option coOot—-path “192.168 -1,17/1:/usr/home/haytord/sroon"; 

AO } 

ads } 


tktpd =1 =s /tiEpboot 
Eheod —le—s = EREDCOot 
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What you'll need: 


A SheevaPlug  (htto://wwwglobals 
caletechnologies.com/p-22-she- 
evaplug-dev-kit-us.aspx). 

A Windows computer that can run 
the driver software from Marvell 
so you can talk to the SheevaPlug. 
There is information available on the 


web (http://dev.gentoo.org/ armin76/ 
arm/sheevaplug/install.xml or http:// 
mail-index.netbsd.org/current-users/ 
2009/05/25/msg009557html) that 
shows how to use Linux or NetBSD 
to talk to the serial port on the 
SheevaPlug, if you'd like to try that. 
Be forewarned that some of these 
methods require you to reflash the 


FreeBSD on the SheevaPlug 


SheevaPlug. Besides, you needed to 
something for that Windows box to 
do. 

A computer (X86-compatible) that 
runs a recent version of FreeBSD. 
For reasons we'll discuss below, the 
build/boot process will be easier if this 
computer is also the NFS server that 
your SP can use as a d root drive. 


Listing 6. The /etc/exports File That Allows The SheevaPlug To Attach To The Root Directory 


1. #The following examples export /usr to 3 machines 
named after ducks, 

2. #/usr/sre and /usr/ports read-only to machines 
named after trouble makers 

3. #/home and all directories under it to machines 
named after dead rock stars 

4. #and, /a to a network of privileged machines 
allowed to write on it as root. 

ba #/ usr 


huey louie dewie 


6. #/USr/sre /Usr/Obj] =—ro calvin hobbes 


7. #/home Selebmas janice jimmy frank 
8. #/a -maproot=0 -network 10.0.1.0 -mask 
Zope oone te. 0 

Oe of 


10. # You should replace these lines with your actual 
exported filesystems. 

ll. # NOte that BSD's export’ syntax 2S "“host—-centric’ 
VS. Sun's “PS-cemeric’ One. 

12. /usr/home/hayford/sroot -maproot=root -network 


PS2. 168 2 mask 259.255.7255 ,0 


Listing 7. Loading The FreeBSD Kernel Onto The SheevaPlug With TFTP 


a ees 
PI ee a 
Pi Perth a 
0 To eee 
ee ee ee 0 
a a 
ae Se oye 
a ee eee ee ee 


** MARVELL BOARD: SHEEVA PLUG LE 


U-Boor 1.1.4 “Mar 19° 2009 — 16-06-50), Meérvelll version: 
5 IG 


U=Boot code: 00600000 => O067FRFFO BSS: => OO6CEESO 


Soc: Ssr6zel AO (DDRZ) 
CPU cunning @ 1200MhZ ha runnung ©€ 400Mhz 
SyeClock = 400Mhz  Teleck — Z00Mhz 


DRAM CAS Latency = 5 tRP = 5 tRAS = 18 tRCD=6 
DRAM CS[0] base 0x00000000 Size Z56MB 


DRAM CS[1] base 0x10000000 Size 256MB 


DRAM Total “size SIl2ZMB ~1Gbie widen 

bilash; 0 kB 

Addresses 8M —- OM are saved for the U-Boot usage. 
Mem malloc Inttializarionm {SM = 7M); Done 


NAND:512 MB 


CPU : Marvell Feroceon (Rev 1) 


Streaming disabled 


Write allocate disabled 


USB 0: host mode 

PEX O: interface detected no Link. 

Net: egiga0 [PRIME], egigal 

Hibewany key EO, Stop aeutcoboor: 0 

Marvell>> dhcp 

BOOUTP breoedcase i 

DHCP client bound 1oO address 192.168. 1.109 

Marvell>> tftpboot 900000 sp/kernel.bin 

Using egigaO device 

TETP £rom setver 192. 16e.1.1/1, cour IP address 1s 

AUS) oa INS 2 lO) S) 

Filename 'sp/kernel.bin'. 

Load address: 0x900000 

LOAdinG: ###FFETETEAEEREEEEEEEEEETEEEEREEER EEE EEE 

HEEPREREREREE EERE 
HREEREREREREEEEEEREEEEE EEE TE EEE EEE EEE EEE 

HEEPREREREREE EERE 
HEEEREREREREEEOREREEEEE EEE EE ERE EEE EERE EER 

HEEPREREREREE EERE 
HEEEREREREREEEPEEREEE EE EREEE EE EEE EEE EERE EER 

HERPREREREREE EERE 
HEEEREREREREEEPEER EEE EEE HE EEE REET EERE EEE 

HERPREREREREE EERE 
HEEEREREREREEEPEEREEEEE PEELE EE EEE EE EERE EEE 

HEPPREREREREE EERE 
HEEEREREREREEEPEEREEEEE EEE EERE REE EEE EER 

HEPPREREREREE EEE EEE 
HEEEREREREREEEEEER EEE EEE TE EEE REET EERE EER 

HEEPRERERER EERE EEE 
HHETRERERER EEE 

done 

Bytes transferred = 2729908 (29a7b4 hex) 

Marvell>> go 900000 

## Starting application at Ox00900000 ..... 
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A computer (can be the same as 
in 3 above) that will act as a DHCP 
server and TFIP server 


Getting and Building FreeBSD 

If you've followed along with some 
of the articles from this magazine 
that deal with building NetBSD for an 
embedded system, you'll notice some 
immediate differences when you go to 
build FreeBSD. For example, NetBSD 
uses a build script that will run on 
virtually any Unix-like system. Partly this 
is because the script builds most of the 
ancillary software the NetBSD needs; 
as a result, it can take a lot longer to 
build NetBSD for an embedded system. 
With FreeBSD, on the other hand, you 
pretty much have to build it using 
a FreeBSD system. NetBSD’s build 
scripts allow slightly better control over 
where the object and executables end 
up. | also had trouble getting FreeBSD 
to install the world files to a NFS-shared 
directory on another (Linux) machine 


6. chep 

- 

So. extZis _ 
9 


10. tatiload = 


19. reset 

20. resetenv 
Zyl eet 
22. saveenv 
23. setenv 
Za7 Uso - Uses so -—Syceem 
26. uUsbbootr 


2) Vers _om 


fist les sansa aisectory 


and ended up using a FreeBSD system 
as the NFS server for the root system. 
All-in-all, the differences between the 
two systems are relatively small. My 
prediction — you'll forget about all of 
these once you see how much faster 
FreeBSD builds. 

Like NetBSD, FreeBSD uses CVS 
to manage the souce code repository. 
Instead of using CVS directly, however, 
FreeBSD supplies an application csup 
that uses an external file to control how 
and where source code is downloaded. 
The control file for this project is shown 
in Listing 1. You need to change line 3 
to reflect the CVS host you will be using 
for the download; see the instructions in 
lines 1 and 2. You'll need to change the 
directory in line 5 to Show where you want 
the source code placed, and Line 9 says 
to download all of the source files, which 
you'll want. I've added a date tag to line 6 
so that the downloaded files are from a 
date that we know will build and run cor 
rectly on the SP (but see the Note). 


Listing 8. Partial Listing Of The U-Boot Command Line Interface For The SheevaPlug 


NaI@oiecunel ! 


1. Marvell>> help 

Denes = aiitae for “help! 

3. base - print or set address offset 

A> BOO; =boot detauli, 2.6.7) 7un 

5. Cpulmlap = Display CPU Memory mMapprng Setrungs . 


- invoke DHCP client to obtain IP/boot params 
. ext2load- load binary file from a Ext2 filesystem 


(default /) 


Po AE BHeshigne.) - print information about filesystem 


load binary file from a dos filesystem 


In echoed: = list files in a directory (default /) 

A aa he! = Start epolitcablon an address ‘addr’ 

13. help - print online help 

La “avs - list files in a directory (default /) 

15. map - Diasplay address decode windows 

6. md - memory display 

Migs jeuhiare = send TCMP ECHO REQUES! Bo meework hose 


18. printenv- print environment variables 
= Perform RESE! of the CPU 
- Return all environment variable to default. 
—- run commands in an environment variable 
- save environment variables to persistent storage 
- set environment variables 


24, tXEpbooe= boot amage via nelLwork Using TRIP preLocol 


- boot from USB device 


= print monitor version 
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Note 


When this article was written, support 
for SheevaPlug was still experimental. 
By the time you read this, SheevaPlug 
should be fully supported in FreeBSD 
8; however, the build instructions were 
written to show what works, not what may 
(or may not) be available when you read 
this. The instructions, as written, will still 
work, however, you most likely won't need 
Lines 4 and 6, and the supfile you use in 
Line 2 should now be the standard supfile 
for FreeBSD 8. See the FreeBSD-arm 
mailing list (in the Resources section) for 
more details on current support features for 
SheevaPlug. 


Listing 2 shows the commands that 
are necessary to retrieve the source files 
and to build both the kemel and the world 
(all of the files that FreeBSD needs to run 
that aren't actually part of the kernel). On a 
reasonably fast machine, this process will 
take a few hours, including the download. 
Line 2 is used to download the source 
code and Line 3-6 will get and apply the 
patch needed to build the SP keel. Line 
7 is used to control where the files are put 
during the build, while Line 11 controls 
where the root directory will be put during 
the build process. Note the difference 
between lines 7 and 11; my normal user 
Shell is bash, while the root shell is csh. 

The fact that part of the build steps 
requires you to change to the superuser 
is another difference between NetBSD 
and FreeBSD. Part of the reason for 
this is that FreeBSD sets the immutable 
bit on system files so they cant be 
inadvertently changed, which only the 
Superuser can do. This also makes it 
more difficult (or impossible — | couldn't 
find a work-around) to install FreeBSD to 
a remotely-hosted NFS file system. 

Once you have finished building 
FreeBSD, you will need to setup your local 
network to provide aq DHCP server, a NFS 
server, and a TFIP server. Since | already 
had a DHCP server on a Linux machine, | 
didn’t set one up for this project, but doing 
so is straight-forward. See the Resources 
section for information on how to do this 
on FreeBSD. Regardless of the system 
type, you'll need to make sure your 
/etc/dhcpd.conf file has the lines shown in 
Listing 3. Make sure the root directory you 


put in the DHCP configuration file is the 
same location that you used on Line 11 of 
Listing 2. A common mistake is to have 
multiple DHCP servers on the network. If 
you have a router, you probably already 
have a DHCP server. Unfortunately, most 
routers can hand out addresses but can't 
handle the additional options you'll need 
for the SP so you'll need to disable your 
routers DHCP capabilities and create 
your own DHCP server. 


For the TFIP server, edit /etc/ 
inetd.conf as shown in Listing 4 and 
uncomment Lines 30-31. Note that your 
line numbers may be slightly different. To 
enable the NFS server on FreeBSD, add 
the lines shown in Listing 5 to your /etc/ 
rc.conf and create (or add to) the file / 
etc/exports GS shown in Listing 6. Here, 
make sure you export the same directory 
as listed in your DHCP configuration file 
and that you used in Listing 2 to build 


Listing 9. Partial Console Output From Booting FreeBSD On The SheevaPlug 


Copyright: (ce) 


Copyright (c) 1979, 1980, 1983, 1986, 


1992-2009 The FreeBSD Project. 
Tose, 


Pose, ool 1992, 199s) oo4 


The Regents of the University of California. All rights reserved. 


FreeBSD is a registered trademark of The FreeBSD Foundation. 


FreeBSD 8.0-BETA2 #0: Sat Aug 22 21:01:49 EDT 2009 


FreeBSD on the SheevaPlug 


the root directory on. Because of the 
immutable bit difficulty described above, 
| ended up building the root directory 
locally and then sharing that using ag NFS 
server on FreeBSD. 


Booting the SheevaPlug 

Now were ready to boot up the 
SheevaPlug. If you haven't done so, you'll 
need to install the drivers for the SP’s USB 
serial port, and you'll need a program 


hayford@freegemu: /usr/home/hayford/obj/arm/usr/home/hayford/sp/src/sys/SHEEVAPLUG 


Preloaded elf kernel "elf kernel" 
CPU: Feroceon 88FR131 rev 1 
Sso0 7012 
520634368 
(Ose Zed 20x02} 


real memory = (512 MB) 


avail memory = (496 MB) 


SOC: 


Marvell 88F6281 rev AO, 


ac UxcOQbb>4ile4: 


(write-through core) 


WMCiloOelkk ZOOWMIsly 


Instruction cache prefetch enabled, data cache prefetch enabled 


2560KB 4-way set-associative write-through unified L2 cache 


mbusO: <Marvell Internal Bus 
ave iF. 
timer0: 
reco: 

Goloo: 
iene te Oi 
Weaseu: sconsole (ils 740m. 6, 1) 
(ye viegee 
Uarel: tase incerrupe 
ehci0: 

DySlorble 0/5 
mge0Q: 
miibus0Q: 


el000phy0: 


<MII bus> on mge0O 


usbus0O: 480Mbps High Speed USB v2.0 


DOOEpC  UMLE: wired fo anbtertace Jmge)” 


Sending DHCP Discover packet from interface mge0 


mgeOQ: link state changed to UP 


(Mbous)> on motherboard 


<Marvyell “CPU Timer> at mem Oxrl02Z0500-—0xtl0203s2r arg 1 om mous0 
<Marvell Integrated RTC> at mem 0xf1010300-0xf£1010307 on mbus0O 


<16550 or comparibile> ar mem OxblOl2000-OxtlOlZ0ln rg 33 on mous 


<l6550 Or cCompatibile> ar mem OxrlOI2100-O0xflOl2iin arg 34 om mous 


<Marvell Integrated USB 2.0 controller> on ehci0 


“Marvel SoblilGn Gigabit PHY> PHY O-on miibus0 


COO SOAs One Asia) 


Sending DHCP Request packet from interface mgeO (00:50:43:01:c4:7b) 


Received DHCP Ack packet on mge0Q from 192.168.1.171 
moe 0 var ho? lee 1 Oe semver 192 oe. yl booer ile 
SsUbNe: Mask 255,255 .255.0 ~oucer 19271637). coorts 


Devin TO moun: £Oonm ErOMm mig: 
NES ROOT: 


SIC SHAG Tama Scie tac, cS enieb/ahigihic 


(accepted) 
/tfitpboot/sp/kernel.bin 


WO? bes. isl ils /ust/ some, haykord) srook 


Enter full pathname of shell or RETURN for /bin/sh: 


# mount 


Po2Z 68. Le ji ust) homey hayrord sroot on / 


devise OM dew ikejes il) 


# 


(devfts, 


(nis, read-only) 


(GOL GOCE Path) 


<Marvell Integrated Interrupt Controller> at mem 0xf1020200-0xf£102023b on mbus0O 


<Marvell Invegrated GPO’ Controller> ac mem OxblOlOIO0-OxtIO1OIIG arq 35,36,37,23,39,40,4. om mbus0 


«Marvell Integrated USB 2.0 controller> art mem Oxtl0S0000-0xrtl0S50nEit arg 48,19 on mbusd 


<Marvell Gigabit Ethernet controllers ar mem Oxtl072000-0xrlO7srrt org 12,135,14,11,46 on mbusd 


92, 168.1. is/ust/ home/hayrord/ sroot 
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that runs on Windows that allows you 
to use the serial port. Regardless of the 
version of Windows, my favorite is PulTY, 
available from htto://www.chiark.green 
end.org.uk/ sgtatham/putty/, Plug the 
mini-USB connector into the SP and your 
Windows computer, start PulTTY, and use 
the serial port to login to the SP Chances 
are that the SP will boot into Debian 
Linux long before you get PuTTY up and 
running, SO you'll need to login to Debian 
(user: root, password: nosoup4u) and 
reboot the SP At this point, you should 
see output similar to that shown in the 
top part of Listing 7 Hit any key when you 
see the command to stop the SP from 
booting back into Linux, and type a 2, as 
shown at the top of Listing 8. You'll get 
a long list of available commands that 
U-Boot understands; generally, entering 
? <command-name> Will get you more 
information on that particular command. 
At this point, we will only need to use 
three, dhcp, tftpboot, and go, AS shown 
in the bottom half of Listing 7 but | left in 
some of the more interesting commands 
if you'd like to explore U-Boot a little. Once 
the kernel has been loaded (at address 
Ox900000 —- another common error is 
to use the wrong load address), type in 
the go 900000 command and you should 
see the FreeBSD bootup text scroll by as 
shown in Listing 9. When it’s all finished 
you should be logged into the SP as root. 
From that point, | recommend that you 
setup a user and follow the normal steps 
to generate a useful FreeBSD system. 
The second most common problem 
at this point is if the SP is unable to 
mount the NFS file system as it’s root di- 
rectory, usually because the NFS server 


Resources 


isn't setup correctly or the DHCP server 
didn’t tell the SP either the right network 
address or folder name. Towards the bot- 
tom of the bootup output (Listing 9), you'll 
see the message: 


Received DHCP Ack packet on mge0Q from 


192,166.1.171 (accepted) (got roor 
path) 

mgeO at 192.168.1.109 server 
192.168.1.171 boot file /tfitpboot/sp/ 
kernel.bin 

Subnet mask 255:255.255.0 rourer 
U2. 16lekel BOOttS: 192 .16e.1.171% 


/usr/home/hayford/sroot 


If these lines don't look right or if you 
dont see the got root path message, 
check your DHCP configuration file and 
verify that the root directory is specified 
correctly. With NetBSD, you can set the 
kernel to ask for the location of the root 
device; convenient when you are start- 
ing out. FreeBSD isn't quite so flexible 
and the DHCP server must supply the 
correct root location for a NFS-mounted 
root system. 

If youre a little adventurous, you can 
play around with the environment saved 
in the SP flash that is used by U-Boot to 
make the SP boot up into FreeBSD (us- 
ing TFIP and NFS) automatically. But I'll 
leave that as an exercise for the reader. 


Getting Help 

Like NetBSD, FreeBSD has a wiki that 
contains a lot of useful information on 
running and installing software, includ- 
ing FreeBSD itself. You can go to the 
wiki at wikifreebsd.org for the latest 
information on ARM support. One differ- 


Information on SheevaPlug hardware: http://www.plugcomputer.org/data/docs/tech/ 
SheevaPlug%20Devkit%20Reference%20Design-Rev1.1.pdf 

The FreeBSD web site: htto:/www.freebsd.org. 

The FreeBSD developer’s wiki: htto:/Awiki.freebsd.org/FreeBSDMarvell. 

The FreeBSD-ARM mail list: http-/ists.freebsd.org/mailman/istinfo/freebsd-arm. 
http://www. bsdcan.org/2008/schedule/attachments/49_2008_uboot_freebsd.pdf 

The description of the command line interface for U-Boot can be found here: http: 


//www.denx.de/wiki/view/DULG/UBootCommandLinelnterface. Note that this manual 


includes features not found in the SheevaPlug version of U-Boot. 
To setup a DHCP server on FreeBSD, see http:/www.freebsd.org/doc/en/books/ 


handbook/network-dhcp.html 


A combined serial port/SSH program for Windows is PuTTY: httop:/,www.chiark.gree 


nend.org.uk/~sgtatham/putty/ 
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ence, however, that will quickly become 
apparent, is that the FreeBSD wiki is for 
the benefit of developers, not users, and 
contributions are from a more limited 
population. This is not a criticism, just an 
observation. It's unusual to find people 
that like both developing and writing 
about software, so the wiki is often 
out-of-date or incomplete. The mailing 
list, like most, is extremely helpful and 
friendly, so go there with questions (after 
you've tried to work it out for yourself, 
first, of course). See the Resources sec- 
tion for more details. 


Conclusion 

While FreeBSD doesn’t yet support 
as many hardware configurations as 
NetBSD, the developers are working 
hard to increase FreeBSD’s credentials 
in the embedded world. In both the 
server and desktop world, FreeBSD 
has a significantly larger installation 
base than NetBSD, so that could be a 
real advantage to developers looking 
to add particular hardware or software 
items to their embedded system. The 
NetBSD build and development envi- 
ronment is a little more advanced and 
can be used on a variety of operating 
systems (BSD’s, Linux, and Windows) 
while FreeBSD’s requires a FreeBSD 
system. Still, this is not much of a limi- 
tation and FreeBSD has a mature and 
easy-to-use build environment. All in all, 
FreeBSD is an excellent choice for an 
embedded operating system and |, for 
one, look forward to using it on more 
systems in the future. 

The SheevaPlug is an excellent ARM 
development system that you'll have a 
lot of fun with, particularly if you've not 
experienced FreeBSD on an embedded 
system. At present, there isn’t support 
for the SheevaPlug flash memory in 
FreeBSd, but | predict that by the time 
you read this, you'll be able to boot your 
SheevaPlug as easily with FreeBSD as 
you can now with Linux. 
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Set contains: 

- Disc 1: Installation & Live File System (for system recovery) 

- Disc 2: Packages and Documentation 

- Dise 3: Additional Packages 

- Dise 4: More Packages 
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@ FreeBSD Subscriptions 


Save time and $$$ by subscribing to regular updates of FreeBSD! 


FreeBSD Subscription, start With CD 7.2 .....s:sserrsrssererereserene $29.95 
FreeBSD Subscription, start With DVD 7.2 ....sccssssssesrsseesseseen $29.95 
FreeBSD Subscription, CD 6.4 .....cccccssscossssecssssssssesssessrsseessrseeeses DLO 
FreeBSD Subscription, DVD 6.4 ...ssssssesssssssssersssesessesessesssseesseees 92995 


@ PC-BSD 7.1 DVD (Galileo Edition) 
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@ BSD Magazine 


BSD Magazine... sinatra nee Saleen a 
BSD Magazine Siibcrsiestin Lee RTT 


Your FreeBSD & 
PC-BSD Resource 


www.FreeBSDMall.com 


@ The FreeBSD Handbook 


The FreeBSD Handbook, Volume 1 (User Guide) ......c.eesese. 939.95 
The FreeBSD Handbook, Volume 2 (Admin Guide) ................ $39.95 
© Special: The FreeBSD Handbook, Volume 2 (Both Volumes) ....... vee 9599.95 
® Special: The FreeBSD Handbook, Both Volumes, & FreeBSD 7.2..... $79.95 


@ The FreeBSD Bundle 


Inside the Bundle, you'll find: 


» FreeBSD Handbook, 3rd Edition, Users Guide 

- FreeBSD Handbook, 3rd Edition, Admin Guide 
» FreeBSD 7.2 4-disc set 

- FreeBSD Toolkit DVD 


& Special: The FreeBSD CD Bundle ..........2.se-sscessesseecessessesssesseeseneeeeeeese 989.95 
© Special; The FreeBSD DVD Bundle .............cccscsceseseseseees prateiae ae 589.95 


@ The FreeBSD Toolkit DVD........ $39.95 
@ FreeBSD Mousepad................. $10.00 
D FreeBSD Caps oo ccncnnmmneee $20.00 


@ PC-BSD Caps nnn $20.00 


For JMORE FreeBSD & PC-BSD items, visit our website at FreeBSDMall.com! 


t-shirts 
$18-$21.99 
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Email server in FreeBSD 


Configuring FreeBSD as a mail server with 
Postfix and Dovecot in FreeBSD 7.X 


Francisco Reyes 


This tutorial is a step by step guide on how to setup your own mail server using 
Postfix as the Mail Transfer Agent(MTA) and Dovecot as the IMAP server and as the 
authenticating agent for Postfix. These instructions were tested with FreeBSD 7.2 


n addition of Postfix and Dovecot we will also go over 

how to install Postgresql to store information that both 

Postfix and Dovecot will need to have simultaneous 

access to user information. Unless otherwise instructed all 
operations in this tutorial need to be performed as root. 

We will need to use the port system. If you are new to it 
check chapter 4 of the handbook. 


Process overview 
All programs in this artcile will be installed through the port 
system. The ports used for this article were Postgresql 8.4.0, 
Dovecot 1.2.4, Dovecot Sieve 1.2+0.1.12 and Postfix 2.6.3 

This tutorial installs all ports in batch mode, however if you like 
you can remove the satcH=yes and do the installs in interactive 
mode. Be aware that if you do the port install in interactive mode, 
any ports installed as dependencies will also be in interactive mode. 
The setup as described in this article uses virtual users So no users 
need to be created in the operating system to accept mail. 


Postgresql Port 

Because it is a dependency for both Dovecot and Postfix 
lets install Postgresq] first. If you already have Postgresal 
installed you can skip the port installation and only do the sal 
statements (see Listing 1). We need to create a database and 
the table. Create a file, mail.sql, with the following content (see 
Listing 2). 

We will then load the file into postgres. 


#psql -U pgsql -f mail.sgql postgres 


Dovecot Port 
To install this port we do as follows: see Listing 3. 

Edit /usr/local/etc/dovecot.conf OS follows: see Listing 4. 
Edit /usr/local/etc/dovecot-sql.conf aS follows: see Listing 


5. The directory /usr/local/share/examples/dovecot/ contains 
examples of both files with considerable amount of useful 
information including explanations for all the parameters on 
the lines in this tutorial. 

Create the log file for dovecot: 


#touch /var/log/dovecot-deliver.log 


#chown mailnull:mail /var/log/dovecot-deliver.log 


Postfix port 
We install postfix last because it depends on both postgresql 
and dovecot. 


#cd /usr/ports/mail/postfix 

#make WITH DOVECOT=yes WITH TLS=yes WITH PGSQL=yes WITH_ 
TEST=yes BATCH=yes install clean 

#rehash 


Disable sendmail,the default MTA, and enable postfix at startup 
by adding to your /etc/rc.conf 


sendmail enable="NOo" 
sendmail submit enable="No" 


sendmail outbound_enable="NOo" 


sendmail! <msp queue enable="NO" 


postfix enable="YES" 


Disable some sendmail specific daily maintenance by editing 
/etc/periodic.conf and placing the following 


daily clean hoststat enable="NO" 
daily: Status mail rejects enable="NO" 
daily status. include submit maa tg="NoO" 


daily submit queusrun="NoO" 
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Configure Postfix as the system mailer. 
Edit /etc/mail/mailer.conf as follows: 
see Listing 6. The Postfix configuration 
file is /usr/local/etc/postnix/main, ct. 
Change the entire main.cf as follows (see 
Listing 7). You also need to edit the /usr/ 
local/etc/postfix/master.cf and add ad 
the bottom: see Listing 8. 

Create the directory where we will 
hold the mail and give it the proper rights. 


mkdir /usr/Mail/ 


chown mailnull:mail /usr/Mail/ 


As | stated on the main.ct note /usr/Mail 
can be replaced for whatever directory 
you want to use to hold your mail. 


Edit /usr/local/etc/postfix/virtual_ 
maps With your prefered editor and add 
users in the format 


postmaster@mydomain.com 


mydomain.com/postmaster/Maildir 


Convert the file into a database for faster 
lookup 


postmap /usr/local/etc/postiix/virtual _ 


maps 


For a fully documented main.cf see /usr/ 
local/libexec/postfix/main.cf. 

Before we can test our setup we need 
to populate the table passwd we created. 


Listing 1. Postgresql installation from ports 


Email server in FreeBSD 


The value of the encrypted 

password is Pass2009 

As you need to create more users, if you 
dont have an easy way to generate a crypt 
value you can use hittp://Stringsutils.com 
Create a newalias file, kill sendmail, start 
postfix and dovecot. Could not start dove- 
cot before because it will be using the post- 
fix user which was not yet created when we 
finished creating the Dovecot port. 


#newaliases 

#/etc/rc.d/sendmail stop 

#rehash 
#/usr/local/etc/rce.d/dovecot start 


#postfix start 


Although the setup described in this ar 
ticle will not use the newalias file, Postfix 
looks for it. To test postfix is running: 


#cd /usr/ports/databases/postgresgql84-server 
#make BATCH=yes install clean telnet localhost 25 
#echo ‘postgresql enable="YES"' >> /fetc/rc.conf You should see a prompt 
#/usr/local/etc/rc.d/postgresql initdb eying 127.070. 1ee< 


#/usr/local/etc/rc.d/postgresgl start Connected to < your host name > 


Listing 2. SQL statements to load into Postgres 


CREATE USER mail password '‘Pass2009'; 
CREATE DATABASE mail owner mail; 

\e manok 

CREATE TABLE passwd ( 


id character varying (123) 


DEFAULT "': 


:character varying NOT NULL, 


oa aes 


Escape character is 
Use CTRL+], the type quit 


Testing your setup 

If you already have an IMAP client you 
can connect to your newly configured 
dovecot server using the test user 


Crypt Character varying(128) DEBAULT '":2character Varying NOT NULL, Remember that when login in you need 
clear character varying(128) DEFAULT ''::character varying NOT NULL, use the fully qualified user name such 
name character varying(128) DEFAULT ''::character varying NOT NULL, as postmaster@ mydomain.com. Also 


uid integer DEFAULT 26 NOT NULL, 
gid integer DEFAULT 6 NOT NULL, 
home character varying (255) 


Hatldir character varying (255) 


DEFAULT '': 


Character varying NOT NULL, 


DEFAULT ""::character varying NOT NULL, 


remember that you will need to use SMTP 
authentication to send mail through your 
server 

If you don't have an IMAP client there 


defaultdelivery character varying(255) DEFAULT ''::character varying is a text based mail client, called cone, 
NOT NULL, in the ports system which you can use 
quota character varying(255) DEFAULT ''::character varying NOT NULL for your test. You can install cone in the 


Pe 


ALTER TABLE public.passwd OWNER TO mail; 


ALTER TABLE ONLY passwd 
ADD CONSTRAINT id PRIMARY KEY 


Listing 3. Dovecot installation from ports 


#cd /usr/ports/mail/dovecot 


(rd) 


iieke inecait Wilh PGSOL=vyes WiTHOUL PPVo—-yes BATCH-vyes 


#echo 'dovecot enable="YES"' >> /fetc/rc.conf 


#cd /usr/ports/mail/dovecot-sieve 
#make install BATCH=yes 


#make clean 


www.bsdmag.org 


same server where you have intalled 
dovecot or on a different machine 
as long as it can connect to the 
dovecot IMAP server. Cone has several 
depencencies (gnupg, curl) and it takes 
quite a bit to compile so if you have a 
mail client installed it is best to use 
whatever you already have installed. 


Installing Cone 


#cd /usr/ports/mail/cone 


#make install clean 


For the rest of the test you do not need to 
be the root superuser. 
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Listing 4. Dovecot configuration file 


## Dovecot configuration file 
# If you're in a hurry, see http://wiki.dovecot.org/ 


QUICK COnNGUraLLON 


PEOLCCOls = imap pops 


disable plaiitext anen — m0 


ShuEdoOwmnc LrenEs.— yes 
Seb aie 
login pEOcess. 6176 °— (6c 


Mati location — maildir:/usr/Maily/ ad/ on/Marildin 


mall privileged group — marl 


7 Rely Om O BXCL €O Work when Creacring @oclock tiles, 
NES SUPPOLES O EXCL 
# since version 3, so this should be safe to use 


nowadays by default. 
dorllock se excl = yes 
Vereece pL Ocr ble. — ves 


26 
20 


bpatcuw sigs dake ly blake! 


Waist valli) aad 


ies velliic ale — 16 
aise veckud tequid = 1G 


maticdar copy wel hascilinks  — ves 


## IMAP specific settings 


PrOLocol imap 4 
imap Cliche workacounds — delay-newna1l nepscape-eon 
tbh-extra-mailbox-sep 


\ 
J 


## POP3 specific settings 
PEOLOCOI, pops 4 


pops urd!’ format = ~0exu.03xy 


Popo eC lrent woukacounds = ourlook-no—-nuls oe—-1s-eon 


a, 


## LDA specific settings 


provoco |) ida 


# Address to use when sending rejection mails. 


Postmaster address — pestmasren@example.com 
Met plugins — Ve leyve 

sendmail path = /usr/sbin/sendmail 

log path = /var/log/dovecot-deliver.log 

info log path = /var/log/dovecot-deliver.log 


ey 


# Log unsuccessful authentication attempts and the 


reasons why they failed. 


aun verbose = 1G 


# Even more verbose logging for debugging purposes. 
Shows for example SQL 


# queries. 


Save ge) =leybley) —) ale) 


# In case of password mismatches, log the passwords and 


used scheme so the 
# problem can be debugged. Enabling this also enables 
euEh) Oebug,. 


auEh debug passwords = 16 


auth default { 


mechanisms = plain 
passdb, sql 4 
args = /usr/local/etc/dovecot-sql.conf 


userdb passwd { 


args = blocking=yes 


userdb sql { 


args = /usr/local/etc/dovecot-sql.conf 


user = root 


socket listen { 


master { 
path = /var/run/dovecot/auth-master 
mode = 0660 


wiser = imeia IawIL dl 


group = mail 


client { 
path = /var/run/dovecot/auth-client 
mode = 0660 
user = postfix 


group = mail 


#quota = mysql:/usr/local/etc/dovecot-dict-quota.conf 


#fexpire = db:/var/db/dovecot/expire.db 


## Plugin settings 
jen eKe jal avment 


\ 
J 
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Start the cone program by typing 
‘cone’ from the command prompt. 
Hit ’M’ for the main menu. 

Select ’N’ for new account. 

Select '? for IMAP 

Type a descriptive name for the ac- 
count name. 

Type IP or DNS name of the machine 
in the Server field. Add /novalidate- 
cert at end. Needed since cone looks 
for SSL by defaultEnter username 
including domain in the Login field 
Enter password in Password field. 
Select Inbox folder. 


Once you are able to connect to the 
IMAP server with your own client or with 


On the ‘Net 


Dovecot site: http://dovecot.org/ 
Postfix web site: htto:/www.postfix.org/ 
Postgresq| site: 
http:/www.postgresq!.org/ 

Cone web site: http://www. 
courier-mta.org/cone/ 


Listing 5. Dovecot SQL configuration file 


driver = pgsql 

connect = host=localhost 
dbname=mail user=mail 
password=Pass2009 
eloveeiuiikie jejsis ss) sie laicun=) (Gis) dieae 
password Gqucry = SELECT crype 


password FROM passwd WHERE id = 


User query — Selacr home, ure, gid 


FROM passwd WHERE id = '%u' 


Listing 6. Mailer.conf for Postfix 


# 

# Execute the Postfix sendmail 
program, named /usr/local/sbin/ 
sendmail 
# 
sendmail jusie/ local sein 
sendmail 
send-mail Jus) locall/sbin/ 
sendmail 
mailg just) locally) sbin/ 
sendmail 
newaliases juse/ local/soiny/ 


sendmail 


INSIDE 


a_i _iteblly a, 
/ } se, <f ‘a Pay a 
; 9 { , } ¢ <I oe ay 
(o> = (f NT SAINT v7.0 Now Available 
_— — A. a Wiw.caintoorporation.caom 
“— = ] = ai ~ 
oa . a ; Ll Lu 
= sae Zz 
a 4 A ' [= | m 
$ 4 r “ : il ; <I 
a or a 
: 7 <_ 
as - tA 
t _ —_ = 
- ow HATS NEW 


ISIDE INFINITY FREEDOM 
| POSTGRESOL, SHARED MEMORY AND INFINITY. FR =Et wer ives 
BUILDASEARCH A FREEBSD WEB SERV 


WEB SERVERS FOR EMBEDDED WETBS . a | : 
STAYING SECURE USING PC-BSD HOY TO BUILD 4 SCWLABLE SEARCH ERAGE 
Leas TH LAA WEE SRV | 


“STOP HACKERS WITH PROTECTION SC ee 

SECURING OPENSSH SERVER PA, SRVER IN FREEDSD - CONMFHAURIS Ferret) 
SSHFS. ON NETBSD 5.0 J 4 RAT SERVER WITH OSTA AND DDYEDOT ih FREBSSD ie ( 

a «(960 65 THE PLATRORM Ft CONNECTING STRAIEGY 

4 TO OPBRATIONMS THROUGH A DATS COMCOURSE SERVICE 


Py REE wel i HT L# 
‘ giles PMSF Tat Pens BOOT PILE TEM « 
Z mi “ 
1 TS BAY POR A OS 


el nae : me 
) SING ES) FOR WORT STLAWES #0 mea tre ae 
fea = 
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Listing 7. Postfix configuration file 


queue directory = /var/spool/postfix 


command directory = /usr/local/sbin 
daemon ci recrOory — 
Hine PelibecEory — 
manpage directory = /usr/local/man 
Sanple di recrony. — 
readme “dl recrory — 
sencdmarl para -— 
newaltases paren = 
MailgG path = /usr/local/bin/mailg 
data directory = /var/db/posttfix 
debug pccee Vevey 2 


debugger (commancy = 


id & sleep 5 

Seedid Osolp — Merldrvep 
mail owner = postfix 
myorigin = Smyhostname 


relay domains = $mydestination 


MYVHELWOkKS Ss Lyle = host 


mydestination = localhost, 
#/usr (Mail arbitrarily chosen: 
your choice. 

/usr/Mail/ 


Wabi eUisell wiksillietop< leis. =) = 


Milt ble reams pome = dovecor 


placed 


for virtual_mailbox maps 


VWileluel mailbox maps = 
Virtue maps 

Vinee UIC Maps = Statue; 26 
Wintbue lL Squwd Maps = stam, 6 
Message yolZe mine z— 20450000 
Pounce -quevie Lirerime #7 it 
Ssmepcde delay rejyecre — yes 


Smee pen Nelosreqmired = — ves 


/usr/local/libexec/postfix 
/usr/local/share/doc/postfix 


/usr/local/etc/postfix 
/usr/local/share/doc/postfix 


Jus) local) sbiny sendmai! 


Jus) local /bim/ newaliases 


PATH=/ bans/ lst, ban / use, boca l/ bans, use/ X16 ein 


ddd $S$daemon directory/Sprocess name $process_ 


Toca rceiplene Maps = —vieeual mat tbo. maps 


Wisi age aan Ieiesiil pre —(enl) onh velar fel yi lane § (elelslay |= 


localhost.Smydomain 


Pick a -adLeectory OF 


deVecCOE deSsEINGelons recipiene  lamie — 


(Mule ple domains Lor Virtval mai lpox domains “can be 


# comma separatedor use a file like I show you below 


Vintiuel mailbox domains = mydomain. com 


SEP Sender vest tikerlone = 


permit mynetworks 


permit (sal) avieheniteared 


PeJeecE Wom Eqdm sender 


Pejece Unknown sender dome in 
reject 
SME Dds bec DLE preSErVCrELOnS — 


PerMLE Mynecrworks 


Pe titties hy auienomie ape 


PeVeCCE UNaUr Mm pipelining 


Prejece anvelrd hostname 


1g ST Gie Bae eelehoy Ve slealorh eae 


PejJeCe Unknown severse ic lwenr Moskname 


rejece unknown recipient domain 


BeJCCE UNaurl destination 


Sepa (el vent west eer wone: = 


PerMLe Mynetworks 


Petite sacl auibhnenttcaped 


5310) 
ttt ET 


sumejeral veyevs\ IE jelhelal cugverodli=y — 


SMEpa easly ype = 
smrEpad sasl path = 


Smepd sao! seCurrTy ODE Ons. — 


i 


SASIL AEM inic Cee i Od 


DEOKentsas ane cliciEs — 


PeJecre Mnaurn pipelining 


#HHEF 

yes 

yes 

dovecot 
/var/run/dovecot/auth-client 


noanonymous 


Listing 8. Postfix changes to master.cf 


* DOVECOL LDA 


dovecot unix - 


n n = = pipe 


flags=DRhu user=mailnull:mail argv=/usr/ 


local) libexec/dovecort/deliver =£ S{sender} —d 


S{user}@${nexthop 


hash;/usr/llocal/etc/postnx/ 


—-n -m S{extension} 


Listing 9. Adding a user to the database for mail 


#psgi -U pgsgqi mail 


insert into passwd 


values 


(id, crypt, home) 


('‘postmaster@mydomain.com', 'S1SivtiEVV9SkpnG/ 


PBBWm6wNJ.Pe7qgri', '/usr/Mail/mydomain.com/ 


postmaster'); 


cone you then need to try sending an 
email to it. If the machine is the machine 
responsible for handling email for the 
given domain (ie. DNS MX _ records 
point to it) you can send an email 
to your test user from any machine. 
If the IMAP server doesnt yet has MX 
records pointing to it, you can still test 
your setup by setting the machine you 
configured as your Cyrus server as the 


SMIP server. If using cone from the same 
machine you don’t need to do anything 
extra. Just write an email and send it to 
your test user By default cone will use 
the current machine as the delivery SMTP 
server. 


Additional notes 


The way we configured postgresql for 
this tutorial allows any user to connect 
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to the server You need to edit your 
pg_hba.conf to make it secure. See 
http://www.postgresgqgl.org/docs/8.4/ 
interactive/auth-pg-hba-conf html. 

The sieve plugin we installed allows 
you to setup filtering at the imap level. 
See http://wiki.dovecot.org/LDA/Sieve for 
instructions on how to use sive. 


ss es Ss 
Mme Sis 
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Reliable FreeBSD Jails 
and hosting at the heart 
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Fax. +44 (0) 870 787 9395 
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Monitoring OpenBSD with 


symon 


Matthias Pfeifer 


Once you have your OpenBSD Server running, you might want to monitor your 
machine. There are several ways to do this and there is a large amount of tools you 


could use for it. 


ne of these tools | will show you in this how-to article 

is symon. Symon is very easy to install and, once the 

setup is done, it will provide useful status information 

of your system. One of the greatest benefit is the 
graphical presentation and its very simple configuration. 
Because of the design of symon, you can use symon in a large 
network environment also. And of course, symon will work on alll 
other BSD’s too. Our symon setup comes in two parts: symon 
and syweb. The symon package contains symon and symux, 
which are used to collect and prepare the collected information. 
Syweb is used to display the collected data. 


Note 
Syweb needs PHP. So make sure that you have PHP installed. 


Installing symon 

On OpenBSD, we are in luck, because there are symon and 
syweb packages available (make sure that your PKG_PATH 
variable is set (for e.g. export PKG_PATH=ftp://ftp.openbsd.org/ 
pub/OpenBSD/4.5/packages/i386/). Then you can just type 
pkg_add symon in your console. For the further configuration it is 
better to have syweb already installed: (see Listing 2). 


Configuring symon 

| will show you a small symon setup here, so we do not change 
any paths for syweb here. The following configuraion is very easy 
to extend. See the manpages of symon and symux (man symon, 
man symux). We start our configuration with the following files: 


/etc/symon.conf 


/etc/symux.conf 


For the beginning, we want monitor just the first CPU (cpu(0)) 
and the RAM (mem) (Look at the Data formats section in the 


symon manpage for more monitoring targets). Ok, let's start 
and add this to /etc/symon. conf 


monitor 

{ 
cpu (0), 
mem 


\ Stream to. 127.0.0.1 2100 


As you can see, we will stream the collected data to localhost. 
However, you can stream these data to another monitoring 
station. Just enter the machines IP here. 

Now, add the following lines to /etc/symux.conf 
Listing 3). 

The source section is set for every host which should be 
monitored. The source section in symux.conf IS similar to the 
monitor section in symon.conf 


(see 


Listing 1. Installing symon 


# pkg add symon 

libart=—2. 3.20007 complete 
rrarool-l.2.303 conplere 
symon-2.78: complete 

a ac IN NINO) Og el a allan 

Example configurations for both symon and symux have 
been installed 

in /usr/local/share/examples/symon. 
RRD files can be obtained by running 
just) Vocal) share/symon/ csi rds. sia 

Read the LEGACY section of symux(8) for information 


about 


migrating RRDs from a previous symux version. 
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Next, we need the datadir directory 
for our data: 


mkdir /var/www/symon/rrds/localhost 
Listing 2. Installing syweb 


# pkg add syweb 

syweb-0.55pl: complete 

Fete SS AAS Olea 5 Od 

syweb's default install assumes that: 
—- apache is chrooted at /var/www 


= eiecheool, aS slinsicallecl ain tle Clairooc 


Monitoring OpenBSD with Symon 


Note 

Each source section need its own datadir! 
Symon ships with some _ useful shell 
scripts which makes the configuration 


— symux rrd files are kept in /var/www/symon/rrds/HOST/*.rrd 


wieCiEOOl, Calida los sinsicaJlilscl alin clas Claiwoorc 


/var/www/symon/install rrdtool.sh 


using 


Customise /var/www/htdocs/syweb/setup.inc if these assumptions are 


IMO ACI ~ 


Listing 3. Configuring /etc/symux.conf 


mux I27,0.0,1 2100 
source) 127.0 2.0. 1 


i 
lL 


aeSecepEr 


datadir "/var/www/symon/rrds/localhost" 


Listing 4. Creating rrd files 


/Usty local) siiare/ symon/ ce smrrds sh /var/www/ symony Erds/ localhnost/cpu0.rrd 


/usr/local/share/symon/c smrrds.sh /var/www/symon/rrds/localhost/mem.rrd 


Listing 5. Checking processes 


# pS -waux | grep sym 

root 25000. 000.0 SZ O20 ees 6:13PM O00 0 22 / ws w7/ 
local/libexec/symux 

_symon 5234 0.0 0.0 308 844 2? Ss 6:19PM O00 O08 Wein, 
local/libexec/symon 

Listing 6. Staring services at boot time 

af [| -x /usr/local/libexec/symux |; then 


echo -—m “ symux; 
/usr/local/libexec/symux 
a 
af | =x /usr/ local/ libexec/symon |; 
echo =n * Symon"; 
/usr/local/libexec/symon 


fi 


then 
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much easier. You can found the scripts in 
/usr/local/share/symon/. 

One of the shipped scripts is used to 
generate the needed rrd files. We need 
to create two rrd files for our monitoring 
objects (cpu(0) and mem) (Listing 4). 

Now, it’s time to start and check the 
services: 


# /usr/local/libexec/symux 


# /usr/local/libexec/symon 


When you check the services, you should 
get an output similar to the following: see 
Listing 5. 


Note 

Be sure that you start symux at the first. 
Otherwise symon will not provide any 
data to symux. 

In most cases, we want to start services 
at boot time. So we add the following lines 
tO /etc/rc. local (see Listing 6). 

Now we have symon and symux 
running. That is fine but not really useful 
for us because we like a_ graphical 
presentation of our system statistics. 

If you are running apache chrooted 
in a default setup, all you need is to 
point your browser to http://localhost/ 
syweb/. lf you have some other individual 
configurations, you should adjust your 
configuration (for e.g. symlink the syweb 
directory into a appropriate location and 
configure a virtual host). 


Caveat 

There a one well known issue, when symon 
Starts. It could happen that you receive the 
following message in your logs: 

symux: could not get a semaphore 

We need to do a little sysctl tuning 
(The values are just a advise. Feel free 


and figure out the best setup for your 
environment). 


sysctl -w kern.seminfo.semmni=256 


sysctl -w kern.seminfo.semmns=1024 


To setup these sysctl values, add the 
following lines to /etc/sysctl.conf 


kern.seminfo.semmni=256 


kern.seminfo.semmns=1024 


Visit htto:/wwwxs4all.nl/ wod/symon/ 
index.html vor additional information. 
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BSD as the Platform 


for Operationalizing Organizational 
Flexability via a Data Concourse 


Richard C. Batka 


A major change is about to take place in large organizations worldwide and BSD is 


positioned perfectly to play a starring role. 


ong known for its rock solid stability and reliability in 

the airline and banking industries, BSD will be used 

by organizations to build information interchanges. 

Building on a reliable BSD infrastructure will be the key 
to operationalzing flexibility and the future standard platform 
for Operationally Aware Vector Adjusting Application (OAVAA) 
environments. 

To meet increased market demand for products and 
services, large organizations today rely on a complex web of 
interconnected business relationships with partners, vendors, 
and suppliers. When unexpected delays occur it creates 
chaos. 

These problems are addressed by creating custom 
process (called one off exception processing) and as all of 
you know from your administration/infrastructure experience, 
anytime you implement sudden/drastic changes throughout 
the operational ecosystem you consume valuable resource 
cycles which inevitably prevent operational flexibility. 

We are constantly seeking better returns on our technology 
expenditures (investment) and we are always looking for 
ways to optimize current service/delivery capability based 
on new or improved business process (by attempting to 
integrate information from multiple functional areas within the 
organization) and for the most part, this is a process that takes 
time, requires multiple approvals and numerous man hours 
to complete and speed to completion is always an issue. 
Typically these services are built on service platforms that 
span the organization. 


Fact 

Over 70 percent of organizations that have invested in 
enterprise systems have not received the promised benefit 
on schedule (or) have invested more money than originally 
anticipated. 


BSD in the Enterprise 

Imagine if you will a BSD based data concourse service that 
enables organizations to achieve a high level of flexibility and 
the ability to quickly integrate change at an enterprise wide level. 
This can be achieved by effective communication through an 
information interchange specifically built on the BSD platform, 
designed to support the automatic, cross boundary capability 
to create, change, and modify processes. 

Its a movement that’s building momentum today and 
its something you need to prepare for in the next 18-24 
months. Thousands of organizations worldwide will build 
out this new capability and quickly discover that they have a 
distinct market advantage. 


BSD has the Flexability 


To provide a reliable infrastructure for applications that are 
data concourse service aware and ready to facilitate opera- 
tions among vendors, customers, and suppliers by aggregat- 
ing discreet data elements, structuring it as information, and 
providing push up reports with wide visibility. 

This new environment will also allow firms to achieve 
economies of scale upon the creation of a data concourse 
service that provides clients and their partners the use of 
standardized operational applications connecting to standard- 
ized business management applications which will have the 
Support functions to enact real time process change at an 
operational level. 

The goal is to enable effective, real time information 
interchange by creation of a data concourse service which 
will promote the aggregation of data from internal and 
external sources, correlate it, and then make it available 
for immediate automated process/rule creation or further 
analysis. Additionally, it dose something that has never 
successfully been achieved before at the enterprise level: 
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connect operational applications and 
business management applications. 


Creating these Connections 

is the key to Organizational 
Flexability and Ultimately 
Compeditive Advantage 

Through effective information interchange 
(and the associated automatic rule/ 
process creation that results) between 
organizational __levels/business 
within the organization, organizations 
will be able to achieve something 


never thought possible — automatically - 


creating process connections between 
strategy and operations, so that changes 
are automatically incorporated on either 
side. To achieve this, an organization 


must have the proper combination of - 
BSD based infrastructure, event aware - 


applications, and flexibility. 


What is BSD Based Information 
Interchange? 
Information interchange enables a 
clear separation of duties between 
applications that support standard 
operations and those applications that 
require flexibility to handle changes. 
BSD is platform of choice to support the 
next generation of aware applications 
that allow for the successful resolution 
of semantic differences between 
unstructured and structured data in use 
by applications today. 

| call the next generation 
applications: Operationally Aware Vector 
Adjusting Applications (OAVAA). These 
applications will provide organizational 
leadership with whats been _ lacking 


units”: 


today, namely real-time shared visibility 
in aid of effective decision making and 
ability to automatically react to deltas 
discovered between operational and 
business management applications 
upon synchronization. These interchange 
features provide the balance needed for 
enterprise flexibility. 
The elements to this approach are: 


Enterprise based, process enabled, 
operational & business management 
applications 

Information interchange (based on 
a robust BSD environment) which 
facilitates the connection between 
areas (example: operations and 
business) 

Audit trail capability 

Multi-site deployment capability with 
failover & backup capability 
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Straight forward licensing model 


Operational applications designed for 
efficiency are insulated from needing to be 
changed frequently. Business management 
applications are flexible and easier to 
change; they support collaboration, 
analysis, and decision support so to 
achieve flexibility, the enterprise must have 
the proper combination of hard and fast 
business rules and openness to change. 


Flexability? 

All enterprises want to be flexible. They 
want the ability to change with current 
market conditions however many confuse 
flexibility with speed to market. They find 
themselves failing because of the inability 
to make changes related to those current 
market conditions. Meanwhile, others are 
so intent on effectiveness that they throw 
a blind eye to market conditions. 


It's a Moving Target 

All companies have strategy and all 
companies have operations. Prevailing 
wisdom would say that changes in the 
marketplace should lead to changes 
in strategy and operations — but this is 
never the case. 


Fact 

Seven of eight large enterprises failed to 
meet self imposed growth (profitability) 
targets. 


Fact 

More than 95 percent of employees are 
unaware of or do not understand their 
enterprise strategy. 
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Self-evident Disconnect 

Strategy and operations are not 
communicating effectively. Strategy 
prepares for the future and chases flexibility, 
but operations are rigid and designed to 
be consistent. Strategy requires extreme 
flexibility in making choices and changes 
frequently, while operations are complicated 
and take time and money to change. There 


is a disconnect between strategy and - 


operations. The disconnect is the roadblock 
— Why? Because changes in strategy are 
not reflected in operations fast enough. 

Overthe years organizations have spent 
millions of dollars trying to synchronize the 
two — by investing in enterprise resource 
planning (ERP), operational support 
systems, decision support systems, 
performance management tools, analytics, 
and dashboards. Talk to an executive on 
the golf course about these systems — They 
will be happy to share tales of frustration 
regarding massive integration contracts, 
mediocre results, and uncomfortable 
silences during board meetings. For real 
excitement, try asking a front line manager 
“after* they spent all week in training on 
these systems? 


Fact 

Employees at every level of the enterprise 
spend the majority of their day finding 
information, without consideration (or) 
time to care for what it means. 


In the Mean Time 
While the applications play catch up, we 
can prepare by spending our energy 


building an_ information 
Most applications will adapt but for the 


ones that don't, we can offer access -: 


to the interchange. The Information 
interchange will play two key roles: 


tions can share and integrate infor- 
mation in a plug-and-play manner. 
Operationalize the connection 


between strategy and operations so - 


that respective applications are able 
to stay in sync. 


This is operationalizing flexibility. 


Warning 

Many of today’s applications in the 
operational space play to key a roll in 
saying no, your organization can't afford 
to make that change, because the 
created financial projection says you 
can't afford to change the application. 


Alternative Flexability 

Externally to the organization you 
should accept that change happens 
so look to build solutions such as 
information interchanges that offer 
services to the strategy and operations 
groups within the organization through 
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interchange. - 


Manage the semantics so applica- - 


the creation of a dedicated BSD based 
data concourse service infrastructure. 

BSD is a stable platform to build 
any type of transactional processing 
system. Handle changes in a _ data 
concourse layer that resides between 
business applications and operational 
applications. Keep in mind that changes 
occur all over the enterprise: product 
development, sales, customer support, 
IT, marketing, and all other functions in an 
enterprise that operate in an environment 
of increasing change. 


Historicaly Speaking: 

Strategy and Operations Differ 
in Key Ways 

Processes closer to strategy are semi 
structured and constructed on the fly. 
Processes in operations are clearly 
defined. The processes that live closer 
to strategy use structured and unstruc- 
tured inputs, whereas operations rest on 
structured data supplied by reliable data 
sources. 


Questions to Ask 


What processes exist today that 
touch both strategy and operations? 
How does your organization tell the 
difference between structured pro- 
cess and a semi-structured process 
requests? 

Is the leadership team able to see 
change coming based on top level 
reports produced by the organiza- 
tion? 

Can front line managers make 
changes to operations easily? 


Take for example enterprise dashboards 
that monitor a myriad of organizational 
performance metrics. They provide 
valuable information to the people 
that need to know. However, do you 
have access to the systems required 
to modify (change) activities without 
disruption to the enterprise? Probably 
not. 


Case Study: 

BSD Network Management 
Tools 

The majority of tools in use today 
deploy some type of agent to the end 
node (let's call that a type of business 
management application) which is done 
to accept or decline patches and code 


drops to the end node - a type shielded 
information interchange that exists 
between the management node, patch 
server, reporting server, and end node. If 
we scale this architecture to the larger 
business functions of the organization 
for the singular purpose of increased 
flexibility, we will See that we can make 
changes to operational process and 
implement them with minimal disruption. 


Case Study: 

BSD Security Patches 

Applying security patches to your 
BSD environment is an important part 
of maintaining computer software, 
especially the operating system. For the 
longest time on FreeBSD, for example, 
this process was not an easy one. 
Patches had to be applied to the source 
code, the code rebuilt into binaries, and 
then the binaries had to be re-installed. 
Today you can use a _ utility called 
freebsd-update. This is an example of 
a service that can be offered at the 
information interchange through the 
data concourse service. 

This utility provides two separate 
functions. First, it allows for binary 
security and errata updates to be 
applied to the FreeBSD base system 


without disruption (the build and 
install requirements). Secondly, the 
utility Supports minor and major - 


release upgrades (again with minimal 
disruption.) 


Tip 

Use the cvSup command to obtain and 
update FreeBSD sources. To use it, you 
will need to install a port or package 
like net/cvsup-without-gui. If you are 
using FreeBSD 6.2-RELEASE or later, 
you may wish to substitute this with 
csup(1), which is now part of the base 
system. 
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Implementation 

You. know that’ organizations are 
inherently resistant to change so your 
level of success will be determined 
in large part by your approach. A well 
thought out plan is required. Take the 
following implementation approach 
for organizations with up to 30,000 
employees. 


Pilot 1-500 people 

ROI (checkpoint) 

Larger Group 

ROI (checkpoint) 15,000 people 
Organization Wide 

ROI (checkpoint) 30,000 people 


Conclusion 

Business is constantly experimenting 
with new strategies to take advantage 
of change while minimizing its disruptive 
effects. The business environment will 
always be changing and you have the 
Opportunity to build new environments 
in Support of operationalizing flexibility by 
creating real time, adaptive connections 
between business units. 

This new approach goes beyond 
simple Enterprise Application Integration 
EAI, Service Platforms, and Business 
Process Management. Its a call for a 
complete rethinking of the connections 
that exist between and within every core 
group within the organization. Any link 
that exists between two or more critical 
business functions is fair game for this 
new thinking. 

Enterprises that can _ leverage 
applications to create a balance between 
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standardization and flexibility (and then 
operationalize flexibility) will have a unique 
competitive advantage which will allow 
them to dominate in the marketplace. 
This is clearly an opportunity for you to be 
on the forefront of this seismic shift that is 
about to take place while unleashing the 
true power of BSD. If you help establish 
these architectures; the ones that help 
organizations make this transformation 
smoothly will most definitely benefit at 
promotion/bonus time. 
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Living The 


PC-BSD 


James T. Nixon III 


Lifestyle 


some people are Mac, some are Windows, | am PC-BSD. PC-BSD is more than an 


operating system, it's a lifestyle. 


iting next to my 4/7” Westinghouse LCD TV is the 

iXsystems Apollo Workstation. This workstation 

is powered by the 5500 series of the Intel Xeon 

processor, an Asus GeForce 9800 GT video card, 
and 4 gigs of RAM. It came with PC-BSD Galileo Edition (7.1) 
pre-installed and a handful of applications that immediately 
increased my quality of life tenfold. Using free software 
instead of spending hundreds, or even thousands of dollars 
on commercial software is great, especially because | enjoy 
dabbling in Photoshop, FL Studio, Sony Music Studio, as well 
as playing games such as Left 4 Dead, Half-Life 2, and Eve 
Online. 

First things first, can | play my favorite games? The answer 
(for me) is absolutely! | am a huge fan of Valve and their 
Steam client because | tend to scratch or lose CD’s. | created 
my Steam account in 2004 when | purchased Half-Life 2, 
although | never finished the game because my computer 
could not handle it. 45 minute loading screens do not work 
for me... So, | forgot about Valve for a while and moved on to 
other hobbies, namely music and web design. When | was 
away from my drumset, | was on my PC hacking away at 
local band websites, doing photomanipulation in Photoshop, 
or creating Classic Nintendo remixes in Sony Music Studio 
(formerly Acid Pro). | was also dual-booting random Linux 
distros (with much displeasure), because | got tired of the 
constant degredation of performance on my Windows box. 
| found that | couldn't enjoy most of my computer related 
hobbies on Linux, and worse yet, most of the websites | was 
developing or visiting didn’t work or look the same. So | forgot 
about Linux for awhile, too. 

Enter PC-BSD, one desktop to rule them all! The PC-BSD 
Operating system truly changed my life. No more Windows, 
no more Linux, and all (okay most) of my hobbies intact. | 
replaced Photoshop with GIMP Sony Music Studio with Ardour, 


and Dreamweaver with Bluefish. The transition from Windows 
to PC-BSD was fairly easy. Adapting to a new collection of 
programs and bugs was the 

hardest part, but didn’t stop me from pursuing a Windowless 
lifestyle. | am not against commercial software, | just prefer to 
spend money on open source software, hardware, and video 
games. This is where Valve comes back into the picture. 


PC-BSD is for Gamers 


One lazy afternoon, | was bored and thought I'd download 
the Steam client from steampowered.com and _ install it 
on PC-BSD. PC-BSD comes with Wine, so Steam installed 
without any problems. When | opened Steam and entered 
my account details, all the games | purchased in 2004 were 
waiting for me to install. | was feeling pretty lucky at this 
point, so | chose to install Half-Life 2 first. An hour or so later 
| launched Half-Life 2. There was only one problem, sound 
did not work. | was a little sad, but | turned captioning on 
and played for a minute, saved, loaded, and then quit. After 
a minute of searching on winehq.org | found out that all | 
needed to do was set the sound acceleration in winecfg to 
Emulation. 

After doing that, | launched Half-Life 2 again. This time 
sound worked perfectly. Amazed at how beautiful the game 
looked, | pressed my luck and maxed out the graphic settings 
to include full bloom and reflection. Victory! To see what the FPS 
was, | opened the developer console and typed ’cl_showfps 1’ 
and the result was a steady 300 frames per second. Simply 
amazing. After playing Half-Life 2 for a few hours | hopped 
on Deathmatch and CounterStrike: Source. Both worked 
flawlessly. Pretty pleased with Valve at this point, | went to hitp: 
//store.steampowered.com and purchased Left 4 Dead which 
also worked flawlessly on PC-BSD. The next Steam game | 
tried was Overlord Il, which didn’t work at all, but Assassin’s 
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Creed from Ubisoft played wonderfully. 
In the end, 4 of the 5 games | tested 
ended up playing better on my PC-BSD 
machine than any Windows box | have 
ever owned. 


PC-BSD is for Music Lovers 

Life is not all fun and games. You need 
to mix things up with music too. There 
are many choices for audio players on 
PC-BSD. My personal choice is Amarok. 
Amarok has an easy to use and intuitive 
interface and comes with great features 
like displaying lyrics, downloading album 
art, and connecting to yourLastfm account, 
just to name a few. If you have a Last.fm 
account, you will also enjoy the Lastfm 
PBI on pbidircom. The Last.fm application 
is an easy to use radio alternative. | tend to 
use it at work when | get bored of my local 
collection. Another great alternative to 
the traditional FM radio is "% 
Pandora.com, and it too 4 
works flawlessly on PC- 
BSD. 


Pandora allows you to create a 
radio station based on your personal 
tastes. AS you give songs a thumbs 
up or thumbs down, Pandora takes 
into account several attributes and 
plays similar songs. For example, 
the acoustic version of Creep by 

Radiohead has pop rock qualities, 

acoustic sonority, repetitive melodic 

phrasing, major key tonality, and a 

dynamic male vocalist. Mix this 

with say, Cannibal Corpse, and 
youll have a unique blend of 
music in constant rotation. After 
listening to music for awhile | 
tend to get the musician’s itch. If 

this happens and | don't have a 

band to jam with, | open up Ardour 
and start recording, editing, and mixing 
my own music. Ardour is very similar to 
Cubase, Nuendo, Adobe Audition, etc... 
But like any program, it has its quirks. 
After a few hours of use you'll feel right 
at home. Ardour does multichannel 
recording, non-linear, non- destructive 
region based editing with unlimited 
undo and redo capabilities. It also 
features full automation support, an 
amazing mixer, and plenty of plugins to 
tweak and shape sound to your heart's 
content. I’ve had it crash a few times, but 
| found that turning off auto-crossfade 
solved this problem. In the near future | 
am going to set up a completely open 
source recording studio for my fellow 
musical geeks and | to create “open 
music” for the masses. 


PC-BSD is for Movie Buffs 
PC-BSD has. several applications 
for playing DVDs. | chose Xine. Xine 
can play CDs, DVDs, and VCDs. It 
will also decode AVIs, MOVs, WMVs, 

and MP8s from your local collection, 
as well as play multimedia streamed 
from the net. If I’m not watching a DVD in 

Xine, I'm using Miro as my open source 

alternative to DVR and Cable television. 

| ditched paying for cable over a year 
ago. Using Miro made this possible. 
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| have all my favorite television shows 
auto-download as they are released 
using various RSS torrent feeds. Miro 
can play most video files and offers 
over 6,000 free internet TV shows 
and video podcasts. Watching Lost in 
HD on my 1080p 4/7” television is a 
wonderful experience. Occasionally, 
| want to watch a TV show instantly. 
That's when | go to Hulu.com. Hulu.com 
is an amazing site that streams HD 
television shows and movies over the 
internet using Flash. All of this is done 
while | am lounging on my couch using 
a wireless mouse and keyboard on my 
coffee table. And if watching movies 
isn't enough, editing video is a snap 
with Kdenlive. Kdenlive is a non-linear 
video editor for PC-BSD that is designed 
for basic or semi-professional video 
editing. It supports DV, AVCHD (which 
is considered experimental), and HDV 
editing. There are other video editors 
out there, but Kdenlive was the easiest 
to get the job done. 


PC-BSD is for Everyone! 

Whether youre a gamer music 
connoisseur, movie enthusiast, or all of 
those, PC-BSD is the operating system 
for you. For more information or to 
download PC-BSD, visit htto://ocbsd.org. 
To download PC-BSD software, visit http: 
//pbidircom. 
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Tips and tricks 


com =6=6Cté‘<‘é’ ‘by Dru Lavigne 


n this issue of BSD Tips and Tricks, 
readers share some of their favourite 
tios for solving problems and saving 
time. 


Denny White of OpenBSD101 has sev- 
eral tips available at htto://polarwave.op 
enbsd101.com. One of his favourite tricks 
shows how to keep the /nome partition 
intact during an in-place upgrade. 

NOTE: Before any upgrade, always 
backup your data first, just in case! 

The gist of this trick as that you tell 
disklabel to ignore the /home partition so 
it is not reformatted during the upgrade. 
To do this, go through the normal install 
routine until you get to the disklabel sec- 
tion. If you accept the defaults for each 
partition, your screen will look something 
like the output in Figure 1. 

Note that the default is to press enter 
for each partition, meaning each partition 
will be formatted. Instead, you want to type 
in the word none when you get to the /home 
partition so it looks like Figure 2 instead. 

You can then continue through the 
installation as usual. 

Once the installation is complete, the 
upgraded system won't be aware that 
you have an existing /home partition that 
you would like to mount at boot time. You 
can fix this by editing /etc/fstab to re-add 
yOur /home partition. 


Jan Schaumann of netmeisterorg offers 
the following tip. To let the shell figure out 
where the package to install is, type: 


cd /usr/pkgsrc/*/package 


This logic works on any system. Figure 
3 shows example output from a PC-BSD 
system. In this example, | wanted to cd to 
the build directory for firefox and the shell 
figured out for me that it was a subdirec- 
tory of /usr/ports/www. | then wanted to 
cd to the build directory for gimp, and the 
shell figured out it was a subdirectory of 
jusr/ ports/ qrachics. 


Instructing disklabel to Ignore /home 


i () 


File Edit View Scrollback Bookmarks 
[root@gpcbsd] /root(105)# cd fusr/ports/*t/ 
[rootépcbsd] /usr/ports/wew/ firefox(106)#% cd /usr/ports,*/gimp 
[rootgpcbsd] /usr/ports/graphics/gimp(167)2 i 


1 <2> Yo « 


Settings Help 


cd to Unknown Directory 


1 <2> OF ® 


ao 
File Edit 
[root@pcbsd] / 


View Scrollback Bookmarks Settings Help 


root(llOjy# ls /usr/fhome 
c = dadru/ 

{[rootapcbsd) /root(1ll1lj# cd 's 

co fusrynome 

[rootgpcbsd] /usr/home(llz)F | 


Last Parameter Substitution 
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Adding Notification of 

RAID Status to Daily Output 
Charles Sprickman of NYCBUG has a 
Shell script he added to /usr/local/etc/ 
periodic/daily to put RAID status in his 
daily emails: see Listing 1. 


'$ Substitution 

Francisco Reyes of NYCBUG reminds us 
how handy !$ can be. Figure 4 shows an 
example usage. In this example, the shell 
remembered that the value of the last 
parameter in the 1s /usr/home Command 
WS /usr/home. In the second commana, | 
asked to cd to that last value (represented 
by the variable :s), meaning that the shell 
interpreted this command dS cd /usr/ 


home. 


Miscellaneous FreeBSD Tips 
George Rosamond of NYCBUG has 
several tios he uses on his FreeBSD 
systems. He typically adds the following 
lines to /etc/rc.conf: see Listing 2. 

For servers that aren't running X11, 
add the following line to /etc/make.conf 
before installing any ports: 


a 


RootBSD 


WITHOUT X11l=yes 


If you haven't heard of src.conf, read 
“man src.conf’ to see if any settings are 
useful to your environment. 

If you'd like to be notified when a task 
or script is complete on a remote sys- 
tem, add «« mail to the command. 


NetBSD 5 in Parallels 4 

Michael Hernandez of NYCBUG was 
able to get NetBSD 5.x to work in Paral- 
lels by configuring the guest OS section 
as Solaris after discovering that choos- 
ing Other or FreeBSD did not properly 
configure networking. 


dtrace 

Pete Wright and Sahil Tandon of 
NYCBUG have some tips for those of you 
who have been wanting to give dtrace a 
try. The following scripts are available on 
OSX 10.5: 


LOSTIOOP 
LOTOp 


lopattern 


dvert ii 


tips&tricks 


l1opending 
opensnoop 
man -k dtrace Of apropos dtrace ON 
OSX shows a bunch of other precooked 
scripts. 

The DtraceToolkit, available in the 
sysutils section of the FreeBSD ports col- 
lection, provides the same functionality. 


CARP 


Ike Levy and Okan Demirmen_ from 
NYCBUG have some _ suggestions for 
those of you using carp(4) for redundant 
routers or firewalls. On FreeBSD, the 
lagg(4) interface makes it extremely easy 
to setup link failover or link aggregation 
using ifconfig. 

On OpenBSD, use the trunk(4) inter 
face. Both interfaces support load balanc- 
ing, the LACP protocol, and EtherChannel. 


Keeping Output 

Headers with Sed 

Giorgos Keramidas  (http://keramida. 
wordpress.com/) has a good tip can 
that be used to filter through the output 


sSemeont 
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Listing 1. Adding Notification of RAID Status to Daily Output 


wl ban oh 


# show number of non-optimal drives attached to mpt raid card 


NONOPT='/sbin/sysctl -n dev.mpt.0.nonoptimal volumes’ 


echo 


echo "Checking MPT RAID array" 


echo 
if [| SNONOPT -eq 0 J; then 

echo “No non-optimal volumes: (SNONOPT) " 
elif [| SNONOPT -ne O J; then 


echo "WARNING, SNONOPT non-optimal volumes!" 


Listing 2. Miscellaneous FreeBSD Tips 


Le seoug— ai! 


relatos vais! 


Peon “Man eC. comm”s 
be edo nuG (bool) If set to ''YES'', enable output of debug messages 
Erom ©o scrips, Uhis variable can be Helpful in 
diagnosing 
mistakes when editing or integrating new scripts. Beware 
that this produces coOp1ous CUEpUE LO Lhe terminal “and 
Syslog (3 )r: 
ra(eyee hi diame) (bool) If set to ''NO'', disable informational messages from 
the rc scripts. Informational messages are displayed 
when a 
GCONGIELON that 1s nor SErvouSs enough LO warrant. a warning 
(Og 


Gln, GueIe Ole WCCwWNe'ss o 


1 <2> 


View ‘Scrollback Bookmarks 


(< 
(>) 


File Edit Settings 


iru 50830 6.0 
[drugpcbsd] 


Id ACPU AMEM 


iru S0s38 1 


[drugpebsd] /home/ dr 


Figure 5. grep vs. sed 
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of commands when matching specific 
patterns, without losing the header line 
in the output: 

command | sed -n -e lp -e '/PATTERN/p' 
Figure 5 shows the difference between 
grepping the output of a command vs. 
using the sed pattern trick to filter the 
same output: 

Notice that in the grep output, the 
beginning header line is stripped away 
(USER, PID, 3cpPu, etc.) making the results 
less meaningful than the sed output 
which includes the header informa- 
tion. This sed trick will work with other 
sorts of commands such as ps(1) or 
iostat(1) output, or any other command 
that outputs a header before numeric 
stats. 

We hope that you have enjoyed the 
tios in this column. If you have any tricks 
of your own, send them to dru@osbrca 
to be included in a future edition of the 
column. 
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haven't written about things like this in 


Perhaps you prefer something like 


a while but the question was put to the generic etho used on your Linux 
me and | thought itd be worth jotting boxes or eno aS commonly found on 


something down. 


Listing 1. Original named interface ifconfig output 


bgeO: flags=8843 metric 0 mtu 1500 

options=9b 

ether O0S0brCcd:&2203-Cc3 

inet Oeil O. VO. tSs netmask OxtiretedO broadcast 
OSLO I. 25 

(l00baseTX ) 


media: Ethernet autoselect 


Statue: —aCrivic 

bgel: flags=8802 metric 0 mtu 1500 
options=9b 

etner OO 70D sede n27d37c2 
Ethernet autoselect 


media: (none) 


SLaLuss no Carrier 
1o0: flags=8049 metric 0 mtu 16384 


inet 127.0.0.1 netmask Oxff000000 
Listing 2. Renamed interface ifconfig output 


bgeO: flags=8843 metric 0 mtu 1500 

options=9b 

eLner O00 0bscdsrz23d37c3 

tet MOLTO. 10.83 netmask Oxitrrre0d broadcast 
Kh Ol lO a OL adios) 

Ethernet autoselect 


media: (100baseTX ) 


Stade Active 

el: flags=8802 metric 0 mtu 1500 
options=9b 

ether O07 0b:cd:6&27d3-c2 

(none) 


media: Ethernet autoselect 


SLacuS: NO Carrlier 
1o0: flags=8049 metric 0 mtu 16384 


inet 127.0.0.1 netmask Oxri000000 
Listing 3. Renamed interface ifconfig output after rebooting 


e0: flags=8843 metric 0 mtu 1500 

options=9b 

ether O020b cds b220d357c3 

inet 2042107) .76, 1S netmask OxtrrrerO® broadcast 
TOO 1255 

(l00baseTX ) 


media: Ethernet autoselect 


status: active 

bgel: flags=8802 metric 0 mtu 1500 
options=9b 

ether O070bDsedsn23d37c2 

(none) 


media: Ethernet autoselect 


SLaLUS: NO Carrier 
1o0: flags=8049 metric 0 mtu 16384 


woes L270 ,0,1 mecmAasik OsacirO0O0OO 


Mac OS X servers, or maybe something 


as short as eo typically 
found on Cisco and Adtran 
routers and switches. Then 
again maybe you just want 
to name them something 
specific like public, private 
or DMZ. 

So first you~ are 
probably asking yourself 
why would you ever want 
to change the name of 
your bgeo to something 
else? To answer it simply 
comes down to keeping 
things simple. Redundant 
no? Honestly if you have a 
set of standard ipfw firewall 
rules for instance that you 
wish to roll out to all of your 
machines however they 
all have NIC cards from 
different manufacturers 
then this will require quite 
a lot of work. Therefore 
why not just make it part of 
your initial setup to generic 
things up a bit? 

Honestly, if you take a 
few minutes to prepare your 
machines ahead of time 
then you can use some sort 
of version control tools like 
svn to hold a single copy 
of your base firewall rules. 
Then you can perform a 
simple checkout and raise 
your shields in seconds. | 
quick change to the base 
checked back in and then 
if you had all machines 
on a trigger system they 
can checkout the current 


versions effectively 
remodulating the — shield 
frequencies. Ok perhaps 


that was a bit too Star 
Trekky for most people. 

So here’s how to do it. 
On the command line as 
root or via sudo you can 
invoke ifconfig directly as 
follows; 


www.bsdmag.org 


tips&tricks 


an by Mikel King 


ifconfig bgel name el 


Here is the basic ifconfig output prior 
to executing the above command: see 
Listing 1. 

And the same after executing the 
command: see Listing 2. 

Notice that the only change was the 
name identifying the second ethernet 
interface. Of course being able to 
manually manipulate the ethernet 
interface names is all well and good. | 
Suppose you could also write your own 
script and stuff it into the rc.network 
startup somewhere but thatd be a total 
waste of effort when tyou can just use 
the built in rc.conf as follows to make the 
same change occur at startup. 

You would make a change similar to 
the following in jetc/re. cont 


ifcontig oget name="e0™ 
urconig e0="inec 1O.IOv10.13 Hetmask 
290420062004)" 


After a reboot you would see the following 
ifconfig output: see Listing 3. 

Observe that the interface formerly 
known as bgeO is now simply eo. | shall 
leave that up to you imagination as to 
why the name of e1 has reverted back 
tO bgel. 

Honestly FreeBSD allows you the 
power to name the interfaces whatever 
you like. Maybe, just maybe you are one 
of those individuals that like to name 
things after your favorite flavor of ice 
cream, or after your favorite characters 
or Dune. Now that you know how the 
choice is entirely up to you. Go have fun 
with it! | hope that this little technical note 
has been helpful. 


eo 
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Year 40 


of the UNIX epoch begins 


Brian D’Arcangelo, MCSE, Lynn Community Health Center, Lynn, MA, USA 


Ss many UNIX/Linux users 

know, all UNIX like operating 

systems start the count of time 

at January 1, 1970, the start of 
the UNIX epoch. Yes, | know that this is 
not precisely when the UNIX operating 
system was born but for our purposes 
it will do. It is similar to the idea that 
January 1, 2010 AD. does not really 
represent the precise time since the birth 
of Christ (astronomers have proven this 
to be off by a few years) but we still use it 
as a time marker. 

We do know that it was sometime 
in 1970 that the operating system got 
its name. Since it was derived from the 
abandoned MULTICS project at AT&T/Bell 
Labs it is said that Ken Thompson (one 
of its creators) chose the name Unics 
as a pun on the name Multics. Since 
the name Unics phonetically sounds like 
it ends in an x the name UNIX emerged 
and stuck. 

The summary | am interested in 
giving is not so much about the chrono- 
logical history of UNIX over the past 40 
years but, instead, the profound impact 
that this landmark operating system has 
had on all of the operating systems that 
would follow. In my estimation, nearly 
every modern computerized technology 
that we use today can be in some way 
traced back to UNIX. We today can feel 
the same way towards the creators of 
UNIX as Winston Churchill felt about the 
pilots in the RAF during WWII when he 
said, Never has so much been owed by 
so many to so few. 


Start with the technology that no 
one could imagine being without today 
— the Internet. Even many non-technical 
persons are aware that the Internet is 
completely dependent on the TCP/IP net- 
working protocol. But where did TCP/IP 
come from? It was first developed on the 
UNIX operating system. For that matter, 
when the Internet was in its infancy and 
was know as the DARPAnet, the entire 
backbone for it was built almost exclu- 
Sively on UNIX. 

We also owe our ability to use the 
Internet in a human friendly way in large 
part to UNIX. Whenever we enter an easy 
to remember URL into a web browser 
(such as_htto://Awww.bsdmag.org) DNS 
does the dirty work of translating that 
name into a network address and finding 
it. DNS was of course first developed and 
run on UNIX when it was known as BIND 
(Berkeley Internet Name Domain system) 
and became part of the BSD version of 
UNIX. 

While we are on the subject of DNS, 
it is noteworthy that some of the most 
important servers that are really the 
backbone of the entire Domain Naming 
system on the Internet are in fact running 
on a UNIX operating system. 

Indeed, to this day, not just DNS, but 
many of the bread-and-butter services 
we use on the Internet such as search 
engines (i.e. Google,) email, web servers, 
and so on, continue to be run on some 
flavor of UNIX. 

A little Known piece of operating 
system history is the contribution that 
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UNIX made to the growth of Microsoft 
in its early days. If you worked at Mi- 
crosoft in the early 1980’s you would 
have been quite familiar with UNIX. 
Microsofts entire corporate network 
infrastructure was built on the Xenix 
flavor of UNIX and it remained so for 
quite some time. At that time, Microsoft 
believed that UNIX (ie. Xenix) would 
emerge as its flagship product. Later, 
when Microsoft switched in directing 
its attention to MS-DOS, the legacy 
of UNIX persisted when artifacts from 
UNIX such as piping and redirection 
were incorporated into DOS. 

UNIX is not only an important part 
of Microsoft's legacy, but Apple Com- 
puters as well. You would be surprised 
to know how many Mac OS X users 
are not even aware that the operating 
system they are using is really UNIX 
underneath the hood. The legacy of 
UNIX even persists in such devices 
as Apples iPod. You will see forums on 
the Internet littered with questions from 
stumped owners wondering why their 
iPod has mysteriously drifted to the 
date 1st January 1970. 

While 1st January 1970 may be a 
mysterious date to the uninitiated, it was 
and remains the date from which time 
began as far as the UNIX community is 
concerned. May all of us today remem- 
ber how much so many of us owe to 
the so few geniuses that gave us the 
still living legacy of the UNIX operating 
system. 
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